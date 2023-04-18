The Active Directory Recycle Bin provides an important security feature in Microsoft’s Active Directory (AD). AD Recycle Bin is used to store objects (such as user accounts, groups, or computer accounts) that have been deleted accidentally or due to errors or malicious activities for a specified period of time.

Without the recycle bin, administrators would have to resort to a tedious and potentially error-prone recovery procedure to recover deleted objects. The Active Directory recycle bin enables deleted objects to be restored quickly and easily.

AD Recycle Bin is also important to meet compliance requirements. It also saves “legitimately deleted” items for a certain amount of time before permanently removing them. This ensures that important information is not immediately lost permanently and that administrators have access to this information should it be needed.

How is the Active Directory recycle bin turned on?

The easiest way to activate the Active Directory Recycle Bin is via Windows Powershell. The required CMDlet is called “Enable-ADOptionalFeature“. The feature to be activated (AD recycle bin) and the AD forest must also be communicated to this command. So the command is ultimately:

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target

How to enable AD recycle bin using Powershell.

You can get the name of your AD forest with the command “Get-ADForest | fl Name“ is displayed.

Activation via the Active Directory administration center

Without Powershell, the AD recycle bin can be activated via the AD administration center (Server Manager -> Tools).

AD Recycle Bin – Activation via Active Directory Management Center.

From here, click on your domain name on the left side and then select the option “Enable Recycle Bin…“. If the text is grayed out (deactivated), the recycle bin is already active.

Important: The recycle bin can only be activated. Once activated, it cannot be switched off. The confirmation query also draws attention to this fact.

Confirm AD recycle bin activation.

How long are deleted items stored?

By default, all deleted AD objects are stored in the recycle bin for 180 days before being permanently removed. However, the retention time of the deleted objects in the Active Directory recycle bin can be adjusted using Powershell. The following line changes the duration to 360 days (Fordomain> your own domain must be entered).

Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC= " -Replace @{ "msDS-DeletedObjectLifetime" = 360 }

Recover deleted items from Recycle Bin

It is now possible to restore deleted items via the Active Directory administration center. Below your domain, after activating the Active Directory recycle bin, you will find the subfolder “Deleted Objects“. All objects that have been deleted within the last 180 days appear in this subfolder.

Right click on an object and you can restore it directly to the last known location. Alternatively, you can also “Restore to…“ and save the object in an organizational unit (OU) of your choice.

Restoring a deleted object from the Active Directory recycle bin.

Restore with Powershell

Of course, restoring AD objects works with Windows Powershell. For example, to create a user named “Monika Kinolta’, the following command can be entered:

Get-ADObject -Filter { displayName -eq "Kinolta Monika" } -IncludeDeletedObjects | Restore-ADObject

Further information from Microsoft: https://learn.microsoft.com/de-de/windows-server/identity/ad-ds/get-started/adac/advanced-ad-ds-management-using-active-directory-administrative -center–level-200-

