Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Active Directory

Setting Up the Active Directory Recycle Bin in Windows Server 2008 R2

Windows Server 2008 R2 has introduced an exciting new feature, the Active Directory Recycle Bin. When you use this feature, a deleted object is moved to a special container instead of simply being tombstoned. The tombstone period is still important, as objects reside in this special container only for the length of the tombstone period. Once the period expires, the object is permanently deleted. But until that happens, recovering a deleted object is relatively easy.

Before you can recover an item, you have to enable this feature. It is not turned on by default. Once you enable it, you can only recover items from the recycle bin that were deleted after the feature was enabled. If you enable the feature Tuesday morning, you can recover items from the recycle bin that were deleted Tuesday afternoon, but not Monday morning.

Setup Active Directory Recycle Bin with Windows PowerShell

The first challenge you will face is that Microsoft did not provide any sort of GUI interface for this feature. You will have to use Windows PowerShell and the Active Directory module. You don’t have to run these commands on a domain controller; I prefer and recommend using Windows 7 and Remote Server Administration Tools (RSAT), which have been configured to manage Active Directory with PowerShell.

The first step is to import the module.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

​PS C:\> Import-Module ActiveDirectory

The Recycle Bin is part of a concept Microsoft calls AD Optional Features. As you might expect, there is a cmdlet to use.

​PS C:\> Get-ADOptionalFeature -Filter *

DistinguishedName  : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=GLOBOMANTICS,DC=local
EnabledScopes      : {}
FeatureGUID        : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
FeatureScope       : {ForestOrConfigurationSet}
IsDisableable      : False
Name               : Recycle Bin Feature
ObjectClass        : msDS-OptionalFeature
ObjectGUID         : 433466d6-458b-48e0-bdd1-4e815d6b7a5a
RequiredDomainMode :
RequiredForestMode : Windows2008R2Forest

Actually, this is the only AD Optional Feature Microsoft has released. As you can see from the result, in order to use this feature, your Active Directory forest must be at the Windows 2008 R2 level.

To turn on optional features, we will use the Enable-ADOptionalFeature cmdlet. This cmdlet supports –Whatif so you can give yourself a sanity check, which is important, because you cannot undo or disable the AD Recycle Bin. There is a Disable-ADOptionalFeature cmdlet, but the Recycle Bin feature can’t be disabled.

To enable it, you need to specify a Scope, which for now is ForestOrConfigurationSet and a Target. This is the domain where you want to use this feature.

​PS C:\> Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "globomantics.local" -whatif

Figure 1 shows the result:

What If I Enable the Recycle Bin?

Figure 1 What If I Enable the Recycle Bin?If I’m ready, I can re-run the command without –Whatif. You’ll be prompted for confirmation, but that is it. No reboot is required. If you have multiple domains, you’ll need to run this command for each. Once run, you should see a property.

Conclusion

Once this change has replicated to all your domain controllers, you are ready to begin using it, assuming you delete some objects after this feature has been enabled. We’ll look at that next time, or if you are in a hurry or want to learn more about using PowerShell with AD, take a look at Managing Active Directory with Windows PowerShell: TFM 2nd Ed. (SAPIEN Press 2010).

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (1)

One response to “Setting Up the Active Directory Recycle Bin in Windows Server 2008 R2”

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: