Recycle Bin in Active Directory -Windows Server 2008 R2

Hi All,

After so long...started playing around so thought of sharing my findings with you.
Today I tried to enable Recycle bin in AD on Windows server 2008 R2. This is ultra cool new feature in Windows server 2008 R2 and prevent from tiring NTDSUTIL AD restores.

In Windows Server 2003 and Windows Server 2008, a deleted Active Directory object was not physically removed from the database immediately. Instead, the object’s distinguished name (also known as DN) was mangled, most of the object’s non-link-valued attributes were cleared, all of the object’s link-valued attributes were physically removed, and the object was moved to a special container in the object's naming context (also known as NC), named Deleted Objects. The object, now called a tombstone, became invisible to normal directory operations. Tombstones could be reanimated anytime within the tombstone lifetime period and become live Active Directory objects again.

Windows Server 2008 R2 Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers. When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

1. PREREQUISITES:
1. All the domain controllers must be running Windows server 2008 R2
2. Forest and domain must be on Windows server 2008 R2 functional level.
(if you need to raise the mode, it can be done through raising functional level via "Active directory users and groups" and "Active directory domains and trusts".

2. Enable Recycle Bin
Recycle bin in AD is DISABLED by Default. It can be enabled using Powershell command or using LDP.exe:
===============================================================================
PS C:\Users\Administrator>
PS C:\Users\Administrator> Enable-ADOptionalFeature -Identity `CN=Recycle Bin Fe
ature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Con
figuration,DC=vda,DC=com' -Scope ForestOrConfigurationSet -Target `vda.com'
WARNING: Enabling 'Recycle Bin Feature' on
'CN=Partitions,CN=Configuration,DC=vda,DC=com' is an irreversible action! You
will not be able to disable 'Recycle Bin Feature' on
'CN=Partitions,CN=Configuration,DC=vda,DC=com' if you proceed.

Confirm
Are you sure you want to perform this action?
Performing operation "Enable" on Target "Recycle Bin Feature".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):y
PS C:\Users\Administrator>
=====================================================================================Change "VDA" and "COM" accordingly as being used in your environment.

3. In Active Directory, Create a User "User1" under OU "OU1"
Make sure that "Prevent from accidental deletion is not Checked for both objects
(to check, in AD users and computers consle, click on view and check -> Advanced Features. Now right click on the object (User1 or OU1) and click on Object tab, you will see the setting.

4. Delete the user(User1) and the OU (OU1)

5. Check the deleted user via powershell: (MAKE SURE TO CHANGE DOMAIN NAME IN COMMAND ACCORDINGLY)
=============================================
PS C:\Users\Administrator> Get-ADObject -SearchBase "CN=Deleted Objects,DC=vda,D
C=com" -ldapFilter "(objectClass=*)" -includeDeletedObjects | Format-List Name,O
bjectClass,ObjectGuid


Name : Deleted Objects
ObjectClass : container
ObjectGuid : 2deca7ad-1fca-4389-80d4-053c86c93302

Name : User1
DEL:7e9e5ddc-efcc-432d-882d-948f1f12782f
ObjectClass : user
ObjectGuid : 7e9e5ddc-efcc-432d-882d-948f1f12782f

Name : OU1
DEL:8a24a21c-cd96-41f7-b6e0-98565721805b
ObjectClass : organizationalUnit
ObjectGuid : 8a24a21c-cd96-41f7-b6e0-98565721805b
=================================================================

6. Restore the object via POWERSHELL:
================================================================
1. First Restore the OU1 through it's Object GUID from command above
PS C:\Users\Administrator> Restore-ADObject -identity 8a24a21c-cd96-41f7-b6e0-98
565721805b
PS C:\Users\Administrator>
2. Restore User1 using it's GUID from the command above
PS C:\Users\Administrator> Restore-ADObject -identity 7e9e5ddc-efcc-432d-882d-94
8f1f12782f
PS C:\Users\Administrator>


Go to Active directory users and computer and you will see OU1 and User1 under it.

Hope you enjoyed going through this feature..

Thanks For reading