Windows Server

Active Directory Recycle Bin can save a Windows Server admin's day

Windows Server 2008's upcoming R2 release has a Recycle Bin for protecting Active Directory objects. IT pro Rick Vanover tells you how to enable this feature.

When Windows Server 2008 R2 becomes available, the Active Directory Recycle Bin feature may make many administrators' lives easier. The base release of Windows Server 2008 comes with a nice safeguard for organizational unit deletion, and now with R2, there is additional protection functionality.

The Recycle Bin feature allows objects to be restored via the Active Directory PowerShell environment. For the beta release, this functionality is turned off by default, so the first step is to enable the feature. Figure A shows this step. Figure A

Figure A

Click the image to enlarge.

Once this is complete, you can view the contents of the Active Directory Recycle Bin. This special location exists as a container that holds the objects as they are deleted.

In my first looks at Windows Server 2008 R2 beta, I set up a test domain running at that function level. The domain, dev.tld, had nothing in the Recycle Bin after it was created. I deleted two objects: one user and one group. Figure B shows the query of what is in the Recycle Bin before the two objects were deleted, then another query after they were deleted. Figure B

Figure B

Click the image to enlarge.

Notice that some fields were cut off in the display, notably the full GUID (which is needed for the restore). To display the entire GUID and object name, you would run this query:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=dev,DC=tld" -ldapFilter "(objectClass=*)" -includeDeletedObjects | FT ObjectGUID,Name  -A

Then, the full GUID is displayed, so a copy and paste operation will allow an easy restore. From the list above, to restore the single user named test, the following command will perform the restore:

Restore-ADObject -Identity 6ff46162-15c2-4d42-8e15-2fcac5c8422e

The object is instantly returned to full existence in Active Directory.

This will be a very desired feature for the Windows Server administrator, so be sure to get a look to the R2 beta. The Windows Server 2008 R2 Reviewers Guide has more information on the Recycle Bin feature and the other features of R2.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

12 comments
jimamily
jimamily

Have you ever had a need for more storage in your home? A great alternative to making a huge financial investment is by using a stackable storage bin to increase your available space within your home. You can use them in most rooms like the dining room, living room, bedrooms, or kitchen. Read More: Stackable Storage Bins, http://www.stackablestoragebin.com/

DSotnikov
DSotnikov

Free GUIs for AD Recycle Bin have started to appear out there. For example, check out this screencast demo of the PowerGUI-based one recently created by Kirk Munro.

john
john

This doesn't work for workstation desktop redirects, does it? I saw the article and thought, "cool, a domain recycle bin", but no it is just for AD objects, not user data. That would be really useful. For example, I have the desktops of domain users redirected to a share on the server. For me it is \\imc777\userdata\johnhill\Desktop When I delete something on my desktop is is gone forever. A TRUE domain recycle bin would be very cool.

Mr.Newman
Mr.Newman

If it works properly I thinks it's a great tool. So, many time administrators makes mistakes deleting the wrong user names (same name diffrent surname etc), it will really make life easy for admins.

pburgess
pburgess

How is this different than restoring from a Windows 2003 tombstoned object? I've only done that operation twice, but it seems very simliar.

Justin James
Justin James

Last year, at the "Heroes Happen Here" event, I talked to the presenter when he showed the "prevent stuff from being deleted" thing in AD that they added. I asked why they did that, instead of simply providing a "recycling bin". He said that in their testing, many system administrators *couldn't figure out the recycling bin*! I have to wonder what kind of chowder heads are running servers but don't "get" a "recycling bin", especially since Windows has had one for nearly 15 years now. J.Ja

b4real
b4real

It would be nice if data (especially DFS shares) as well as AD objects are protected. Heck, even throw in protection for deleted or revision tracking for Group Policy Objects!

networkninja
networkninja

Have you looked into Volume Shadow Copy for that?

issy_3
issy_3

Can wait to test this option in a test environment because i made a mistake one time deleting an OU and had to recreate all the accounts because i didn?t want to do authoritative restore

cbader
cbader

Thats why you dont delete anything from AD, you just disable the account and move it an OU or container for disabled objects.

Mr.Newman
Mr.Newman

You can't disable everything, like OU or groups.

Editor's Picks