Active Directory

Setting Up the Active Directory Recycle Bin in Windows Server 2008 R2

Windows Server 2008 R2 has introduced an exciting new feature, the Active Directory Recycle Bin. When you use this feature, a deleted object is moved to a special container instead of simply being tombstoned. The tombstone period is still important, as objects reside in this special container only for the length of the tombstone period. Once the period expires, the object is permanently deleted. But until that happens, recovering a deleted object is relatively easy.

Before you can recover an item, you have to enable this feature. It is not turned on by default. Once you enable it, you can only recover items from the recycle bin that were deleted after the feature was enabled. If you enable the feature Tuesday morning, you can recover items from the recycle bin that were deleted Tuesday afternoon, but not Monday morning.

Setup Active Directory Recycle Bin with Windows PowerShell

The first challenge you will face is that Microsoft did not provide any sort of GUI interface for this feature. You will have to use Windows PowerShell and the Active Directory module. You don’t have to run these commands on a domain controller; I prefer and recommend using Windows 7 and Remote Server Administration Tools (RSAT), which have been configured to manage Active Directory with PowerShell.

The first step is to import the module.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

​PS C:\> Import-Module ActiveDirectory

The Recycle Bin is part of a concept Microsoft calls AD Optional Features. As you might expect, there is a cmdlet to use.

​PS C:\> Get-ADOptionalFeature -Filter *

DistinguishedName  : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=GLOBOMANTICS,DC=local
EnabledScopes      : {}
FeatureGUID        : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
FeatureScope       : {ForestOrConfigurationSet}
IsDisableable      : False
Name               : Recycle Bin Feature
ObjectClass        : msDS-OptionalFeature
ObjectGUID         : 433466d6-458b-48e0-bdd1-4e815d6b7a5a
RequiredDomainMode :
RequiredForestMode : Windows2008R2Forest

Actually, this is the only AD Optional Feature Microsoft has released. As you can see from the result, in order to use this feature, your Active Directory forest must be at the Windows 2008 R2 level.

To turn on optional features, we will use the Enable-ADOptionalFeature cmdlet. This cmdlet supports –Whatif so you can give yourself a sanity check, which is important, because you cannot undo or disable the AD Recycle Bin. There is a Disable-ADOptionalFeature cmdlet, but the Recycle Bin feature can’t be disabled.

To enable it, you need to specify a Scope, which for now is ForestOrConfigurationSet and a Target. This is the domain where you want to use this feature.

​PS C:\> Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "globomantics.local" -whatif

Figure 1 shows the result:

What If I Enable the Recycle Bin?

Figure 1 What If I Enable the Recycle Bin?If I’m ready, I can re-run the command without –Whatif. You’ll be prompted for confirmation, but that is it. No reboot is required. If you have multiple domains, you’ll need to run this command for each. Once run, you should see a property.


Once this change has replicated to all your domain controllers, you are ready to begin using it, assuming you delete some objects after this feature has been enabled. We’ll look at that next time, or if you are in a hurry or want to learn more about using PowerShell with AD, take a look at Managing Active Directory with Windows PowerShell: TFM 2nd Ed. (SAPIEN Press 2010).

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “Setting Up the Active Directory Recycle Bin in Windows Server 2008 R2”

Leave a Reply

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: