xOne of the fantastic features provided in Server 2008 R2 is the new Recycle Bin for Active Directory.

I recognize that nobody here is going to intentionally mess up their own Active Directory.  But problems can happen.   A Junior technician misheard the phrase “Disable” with “Delete”, a malicious Administrator leaving the company, dumb luck.  Any number of problems can occur and this feature will save the day.

There are a few caveats to using this

1) You must have the Domain functional level in Server 2008 R2 mode.

2) You must enable the feature by using LDP.EXE or Powershell.  The Powershell is the preferred method.  MUCH easier on the eyes :)

3) It is managed and used 100% by Powershell.  There is no GUI version presently.  But it’s Powershell.  WHY DO WANT A GUI? ;)

3) Once enabled, you cannot disable it.  This is a one way trip folks

4) The enabled Recycle Bin has a 180 day retention policy. (6 months to catch the error of somebody’s ways)

That’s it.

Using it is a breeze.

In Server 2008 R2, Select the NEW Active Directory Powershell under Administrative Tools.

Type in the new command

GET-ADOPTIONALFEATURE –filter {name –like “*”}

You will be presented with a screen showing you

FeatureScope       : {Forest}
Name               : Recycle Bin Feature
RequiredForestMode : Windows2008R2Forest
IsDisableable      : False
ObjectGUID         : 0599c1a6-6f8f-42d4-b9a0-ab2791d4719e
ObjectClass        : msDS-OptionalFeature
FeatureGUID        : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
EnabledScopes      :
RequiredDomainMode :
DistinguishedName  : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=energized,DC=energizedtech,DC=com

Looking at the information above, there are no enabled scopes which confirms that the AD Recycle Bin is presently disabled.

So to make all this useful, I guess we should turn it on.  So in the same Powershell Window key in this command

ENABLE-ADOPTIONALFEATURE ‘Recycle Bin Feature’ –scope forest –target ‘domainfqdn’

In my case my domain is ENERGIZED and part of the real internet domain ENERGIZEDTECH.COM

ENABLE-ADOPTIONALFEATURE ‘Recycle Bin Feature’ –scope forest –target ‘energized.energizedtech.com’

But you might have a simpler setup.  You might have a domain called CONTOSO and it’s root is inside called CONTOSO.COM’

ENABLE-ADOPTIONALFEATURE ‘Recycle Bin Feature’ –scope forest –target ‘contoso.com’

(Of course in your case, you would substitute the FQDN of YOUR Active Directory Parent domain)

You will get a prompt warning you that it will make the change.   Choose “Yes” if you wish to enable this feature or CTRL-C to abort.

Once you’re done, it’s active.  To confirm, run the

GET-ADOPTIONALFEATURE –filter {name –like “*”}

And you’ll get a similar response but note

FeatureScope       : {Forest}
Name               : Recycle Bin Feature
RequiredForestMode : Windows2008R2Forest
IsDisableable      : False
ObjectGUID         : 0599c1a6-6f8f-42d4-b9a0-ab2791d4719e
ObjectClass        : msDS-OptionalFeature
FeatureGUID        : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2a
EnabledScopes      : {CN=Partitions,CN=Configuration,DC=energized,DC=energizedtech,DC=com}
RequiredDomainMode :
DistinguishedName  : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=energized,DC=energizedtech,DC=com

You’ll see the “Enabled Scopes” is now covering my domain.

Now that the feature is enabled, the fun begins.

Let’s play a little game called “pretend”. 

Pretend you hired a Network Administrator who claimed to understand how to work with Active Directory.    Pretend he didn’t and deleted the Administrator account and a few computers called “PRESIDENT” and “CIO”.

So you fired him.   Now in the old world, it would be, break out the backup tape.  Restore the Active Directory, hope you got it all right.  Schedule downtime as well.

A real headache.

But not anymore

New land.  Active Directory Recycle Bin.  You’ve one command to save everybody’s bacon.

In Powershell V2 on Server 2008 R2 you get this beautiful command

GET-ADOBJECT –filter {name –like “missingitem*”} –includedeletedobjects | RESTORE-ADOBJECT

That’s it.  Nothing harder than that.

So to make yourself look like “Superman” or your Hero of choice, if we had to restore those objects on the fly, no downtime, no interruption, and that Network Administrator fired and out the door. You would type

GET-ADOBJECT –filter {name –like “Administrator”} –includedeletedobjects | RESTORE-ADOBJECT

GET-ADOBJECT –filter {name –like “PRESIDENT”} –includedeletedobjects | RESTORE-ADOBJECT

GET-ADOBJECT –filter {name –like “CIO”} –includedeletedobjects | RESTORE-ADOBJECT

There.  Was that so hard?  The great thing, is as long as it’s an object in Active Directory, it’s protected by this new feature for 180 days

Now please note, this just does restore the object.  It’s restores the object, its security, its trusts!

Now if you’re curious about Server 2008 R2, It’s in Beta.  And you can download it to try it out.  Don’t put it in your production environment. It is after all Beta but it’s an amazing piece of software.  And if you’re interested the PSR.EXE (Problem Step Recorder) module is ALSO in Server 2008 R2! So if you’re writing an article about Server 2008 R2 Beta, you can actually record what you did (or better yet, you can use it when documenting what you did to install particular pieces of software on the server)

If you’d like to learn more about the Active Directory Recycle Bin, Check out these great resources on Technet.com

Active Directory Recycle Bin - Instructional Video on Technet Edge

Active Directory Recycle Bin Step-by-Step Guide

Sean
The Energized Tech