Introducing Active Directory Recycle Bin

Accidental deletion of Active Directory objects is a common occurrence for users of Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

In Windows Server 2008 Active Directory domains, you could recover accidentally deleted objects from backups of AD DS that were taken by Windows Server Backup. Or you could recover deleted Active Directory objects through tombstone reanimation. The drawback to the authoritative restore solution was that it had to be performed in Directory Services Restore Mode (DSRM) during which the domain controller being restored had to remain offline. And the problem with tombstone reanimation was that reanimated objects' link-valued attributes (for example, group memberships of user accounts) were physically removed and non-link-valued attributes were cleared and not recovered.

Windows Server 2008 R2 Active Directory Recycle Bin enhances your ability to preserve and recover accidentally deleted Active Directory objects by preserving all link-valued and non-link-valued attributes of the deleted Active Directory objects. With the Active Directory Recycle Bin enabled, the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion.

There are a couple of special considerations:

1. By default, Active Directory Recycle Bin is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2. This in turn requires that all domain controllers in the forest or all servers that host instances of AD LDS configuration sets be running Windows Server 2008 R2.

2. In Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.

For further information, such as the Active Directory Recycle Bin scenario overview and the detailed steps on how to recover a single or multiple deleted objects (using ldp.exe or the Active Directory PowerShell snap-in), see What's New in AD DS: Active Directory Recycle Bin (https://go.microsoft.com/fwlink/?LinkId=141392) and Active Directory Recycle Bin Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=133971).  

This posting is provided "AS IS" with no warranties, and confers no rights.

Comments

• Anonymous
  January 01, 2003
  The feature discussed above is a great tool in the active directory. Some third party software can also do the same. Lepide ADMR  can recover the deleted objects and OU's with ease. This software has been developed to manage AD objects including users, user properties, general attributes, and other non user objects conveniently without any scope of error. The product can be seen on: www.lepide.com/active-directory-management-and-reporting.html From: http://www.lepide.com/

• Anonymous
  January 01, 2003
  We've created a free tool to make it easier to restore deleted objects from Active Directory. http://www.overall.ca/ADRecycleBin Hope you enjoy it.

• Anonymous
  January 01, 2003
  I would highly recommend to check out this <a href="http://powergui.org/shares/powergui/sbin/docs/Advanced_Reporting_PowerPack/Advanced_Reporting_PowerPack.html">screencast demo</a> of the PowerGUI-based Recycle Bin UI recently created by <a href="http://poshoholic.com/2009/08/18/recover-deleted-active-directory-objects-with-the-ad-recycle-bin-powerpack/">Kirk Munro</a>.

• Anonymous
  January 01, 2003
  Active directory recycle bin is a great feature of windows server 2008. Alternatively all accidentally deleted objects  (even down to the attribute level) can be restored with  ctive administrator.   It recovers active directory objects as well as object passwords, group policies and object security. http://www.scriptlogic.com/products/activeadmin