NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Active Directory Recycle Bin 

What is Active Directory Recycle Bin? 

The Active Directory Recycle Bin feature allows administrators to restore deleted AD objects. In Active Directory, objects such as users, computers, groups, or organizational units may be unintentionally removed. Administrators may find it difficult to correct such mistakes. Therefore, for administrators to easily retrieve deleted objects, Microsoft launched an Active Directory Recycle Bin, which is quite similar to the Windows Recycle Bin. The AD Recycle Bin facilitates the recovery of deleted items as well as their properties and allows services to continue operating while the restoration is being done, without the need for backup restoration, restarting Active Directory Domain Services, or rebooting domain controllers.

The following prerequisites must be met in order to use the Active Directory Recycle Bin feature:

  • Windows Server 2008 R2 or above is required for all domain controllers in an Active Directory forest.
  • The Active Directory forest’s functional level must be upgraded to at least Windows Server 2008 R2.

How does the Active Directory Recycle Bin work? 

When an AD object is removed in a domain equipped with an AD Recycle Bin, it is first stored in the deleted objects container with all of its attributes for a deleted object lifetime period. The object can be restored with all of its attributes retained during the Deleted Object Lifetime period. When an object’s Deleted Object life period expires, it is shifted to the Recycled Object state, where most of its properties  (other than Object- GUID, Object-SID, Object-Dist-Name, USN) are erased, and the object is deleted from the database. The deleted object time period is controlled by the msDS-DeletedObjectLifetime attribute. If no value for the attribute is specified, the deleted object lifetime is set to the tombstone lifetime. The deleted object time period default to 60 days, if the value of the tombstoneLifetime attribute is not specified.

How to enable the Active Directory Recycle Bin? 

The AD Recycle Bin is not enabled by default, and you must manually enable it to access this useful function. Also, it should be noted that enabling an Active Directory Recycle Bin is irreversible. You can enable the Active Directory recycle bin using AD Administrative Center or using PowerShell. Follow the below steps to enable the Active Directory Recycle Bin in your domain:

  1. Using ADAC:
  • Go to Active Directory Administrative Center (ADAC).
  • Right-click your domain and select the Enable Recycle Bin option.
  • In the confirmation window, click OK.
  • Click OK again in the refresh warning that appears, and then reload ADAC by clicking the Refresh button in the upper right corner of the window.
  • Now, Active Directory Recycle Bin feature is activated for the domain.

Note: To check if the recycle bin is enabled, look for a new container called Deleted Objectsin the domain.

 Active Directory Recycle Bin 

Table of Contents
What is Active Directory Recycle Bin?
How does the Active Directory Recycle Bin work?
How to enable the Active Directory Recycle Bin?
What happens if the Active Directory Recycle Bin is not enabled?
How to recover objects from AD Recycle Bin?
What are the best practices for using AD Recycle Bin
Benefits of AD Recycle Bin
Drawbacks of the AD Recycle Bin

 What is Active Directory Recycle Bin? 

The Active Directory Recycle Bin feature allows administrators to restore deleted AD objects. In Active Directory, objects such as users, computers, groups, or organizational units maybe unintentionally removed. Administrators may find it difficult to correct such mistakes. Therefore, for administrators to easily retrieve deleted objects, Microsoft launched an Active Directory Recycle Bin, which is quite similar to the Windows Recycle Bin. The AD Recycle Bin facilitates the recovery of deleted items as well as their properties and allows services to continue operating while the restoration is being done, without the need for backup restoration, restarting Active Directory Domain Services, or rebooting domain controllers.

The following prerequisites must be met in order to use the Active Directory Recycle Bin feature:

  • Windows Server 2008 R2 or above is required for all domain controllers in an Active Directory forest.
  • The Active Directory forest’s functional level must be upgraded to at least Windows Server 2008 R2.

 How does the Active Directory Recycle Bin work? 

When an AD object is removed in a domain equipped with an AD Recycle Bin, it is first stored in the deleted objects container with all of its attributes for a deleted object lifetime period. The object can be restored with all of its attributes retained during the Deleted Object Lifetime period. When an object’s Deleted Object life period expires, it is shifted to the Recycled Object state, where most of its properties  (other than Object- GUID, Object-SID, Object-Dist-Name, USN) are erased, and the object is deleted from the database. The  deleted object time period is controlled by  the msDS-DeletedObjectLifetime attribute. If no value for the attribute is specified, the deleted object lifetime is set to the tombstone lifetime. The deleted object time period default to 60 days, if the value of the tombstoneLifetime attribute is not specified.

   How to enable the Active Directory Recycle Bin? 

The AD Recycle Bin is not enabled by default, and you must manually enable it to access this useful function. Also, it should be noted that enabling an Active Directory Recycle Bin is irreversible. You can enable the Active Directory recycle bin using AD Administrative Center or using PowerShell. Follow the below steps to enable the Active Directory Recycle Bin in your domain:

  1. Using ADAC:
  • Go to Active Directory Administrative Center (ADAC).
  • Right-click your domain and select the Enable Recycle Bin option.
  • In the confirmation window, click OK.
  • Click OK again in the refresh warning that appears, and then reload ADAC by clicking the Refresh button in the upper right corner of the window.
  • Now, Active Directory Recycle Bin feature is activated for the domain.

Note: To check if the recycle bin is enabled, look for a new container called Deleted Objectsin the domain.

  1. Using PowerShell
  • Open PowerShell on the primary domain controller.
  • Use the following commands to enable AD Recycle BIn:

Import-Module ActiveDirectory
Enable-ADOptionalFeature –Identity “CN=Recycle Bin

Feature,CN=Optional Features,CN=Directory Service,CN=Windows

NT,CN=Services,CN=Configuration,DC=domain” –Scope

ForestOrConfigurationSet –Target “ <yourdomainname> ”

 What happens if the Active Directory Recycle Bin is not enabled? 

When an Active Directory object is deleted from a domain that does not have an AD Recycle Bin, the majority of its properties are erased, and the object (called as Tombstone) is stored in the partition’s deleted objects container for the time period specified in the domain’s tombstone lifetime value. Despite the fact that the object is potentially recoverable at this point, its lost properties are irrecoverable. The object gets destroyed from the database when the tombstone lifetime value is reached. The tombstone’s lifetime period is defined in the tombstoneLifetime attribute. If the tombstoneLifetime attribute is not given, it is set to 60 days. The shortest period that can be specified is two days.

 How to recover objects with Active Directory Recycle Bin? 

Follow the below instructions to restore deleted objects from AD recycle bin. Please note that you will be able to successfully restore the objects only if  the lifetime of the object is not expired and also AD recyle bin is enabled.

  1. Using ADAC:
  • Open ADAC and go to the deleted objects container, which contains all deleted Active Directory objects in the domain.
  • Click on the object to be recovered.
  • Click the Restore button on the right-hand Tasks menu, and the object is now restored to its original OU.
  1. Using PowerShell:
  • Open PowerShell and make sure the Active Directory module is installed.
  • To find a deleted object, execute the following command:

Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=*)” – IncludeDeletedObjects

  • The names of the deleted objects can be found in the “Distinguished Name” list.
  • Run the command listed below to restore the deleted object:

Get-ADObject -Filter {displayName -eq “nameofdeletedobject”} IncludeDeletedObjects | Restore-ADObject

 What are the best practices for using an AD Recycle Bin? 

  • Enable Active Directory Domain Services auditing to track and understand changes made to Active Directory objects.
  • Do not reduce the lifetime of deleted objects to save storage space in your AD database. The longer you keep deleted objects, the better the recovery.
  •  
  • Backup your System State on a regular basis, since AD Recycle Bin will not help you in restoring the deleted contents of SYSVOL or fix issues caused by improper PowerShell scripts.

 Benefits of an AD Recycle Bin: 

  • AD Recycle Bin provides a universal recovery solution for domains with a functional level of Windows Server 2008 R2 and later.
  • Recovering objects from the AD Recycle Bin does not require a domain controller restart.
  • The attributes of an object are saved by the AD Recycle Bin throughout its life span.
  • The Active Directory Recycle Bin from Windows Server 2012 and later includes a Graphical User Interface (GUI) that maybe used to quickly discover a deleted item and restore it to its original position with a single click.
  • The tombstone lifetime which is set to 60 days by default, is sufficient to address most difficulties.

 Drawbacks of an AD Recycle Bin: 

  • Domains with functional forest functional levels of Windows Server 2008 and earlier versions are incompatible with the AD Recycle Bin.
  • You can’t turn off the recycle bin unless you do a full-forest recovery.
  • Since retrieving deleted objects is only possible during the object’s lifespan, AD Recycle Bin cannot be considered an enterprise backup and recovery solution.
  • The AD Recycle Bin is not appropriate for recovering changed items.
  • When you enable the recycle bin, all the existing tombstone objects in the forest will be deleted.

The AD Recycle Bin enables administrators to recover directory objects quickly, without relying on System State backups. It is helpful when you mistakenly remove an object and need to recover it. The AD Recycle Bin is a vital tool in the day-to-day operations of an Active Directory domain. It is a lifesaver for the IT department, and the organization benefits greatly from reduced operational risk as a result of it.

  • Open PowerShell on the primary domain controller.
  • Use the following commands to enable AD Recycle BIn:

Import-Module ActiveDirectory
Enable-ADOptionalFeature –Identity “CN=Recycle Bin

Feature,CN=Optional Features,CN=Directory Service,CN=Windows

NT,CN=Services,CN=Configuration,DC=domain” –Scope

ForestOrConfigurationSet –Target “ <yourdomainname> ”

 What happens if the Active Directory Recycle Bin is not enabled? 

When an Active Directory object is deleted from a domain that does not have an AD Recycle Bin, the majority of its properties are erased, and the object (called as Tombstone) is stored in the partition’s deleted objects container for the time period specified in the domain’s tombstone lifetime value. Despite the fact that the object is potentially recoverable at this point, its lost properties are irrecoverable. The object gets destroyed from the database when the tombstone lifetime value is reached. The tombstone’s lifetime period is defined in the tombstoneLifetime attribute. If the tombstoneLifetime attribute is not given, it is set to 60 days. The shortest period that can be specified is two days.

 How to recover objects with Active Directory Recycle Bin? 

Follow the below instructions to restore deleted objects from AD recycle bin. Please note that you will be able to successfully restore the objects only if  the lifetime of the object is not expired and also AD recyle bin is enabled.

  1. Using ADAC:
  • Open ADAC and go to the deleted objects container, which contains all deleted Active Directory objects in the domain.
  • Click on the object to be recovered.
  • Click the Restore button on the right-hand Tasks menu, and the object is now restored to its original OU.
  1. Using PowerShell:
  • Open PowerShell and make sure the Active Directory module is installed.
  • To find a deleted object, execute the following command:

Get-ADObject -ldapFilter:”(msDS-LastKnownRDN=*)” – IncludeDeletedObjects

  • The names of the deleted objects can be found in the “Distinguished Name” list.
  • Run the command listed below to restore the deleted object:

Get-ADObject -Filter {displayName -eq “nameofdeletedobject”} IncludeDeletedObjects | Restore-ADObject

What are the best practices for using an AD Recycle Bin? 

  • Enable Active Directory Domain Services auditing to track and understand changes made to Active Directory objects.
  • Do not reduce the lifetime of deleted objects to save storage space in your AD database. The longer you keep deleted objects, the better the recovery.
  • Backup your System State on a regular basis, since AD Recycle Bin will not help you in restoring the deleted contents of SYSVOL or fix issues caused by improper PowerShell scripts.

Benefits of an AD Recycle Bin: 

  • AD Recycle Bin provides a universal recovery solution for domains with a functional level of Windows Server 2008 R2 and later.
  • Recovering objects from the AD Recycle Bin does not require a domain controller restart.
  • The attributes of an object are saved by the AD Recycle Bin throughout its life span.
  • The Active Directory Recycle Bin from Windows Server 2012 and later includes a Graphical User Interface (GUI) that maybe used to quickly discover a deleted item and restore it to its original position with a single click.
  • The tombstone lifetime which is set to 60 days by default, is sufficient to address most difficulties.

Drawbacks of an AD Recycle Bin: 

  • Domains with functional forest functional levels of Windows Server 2008 and earlier versions are incompatible with the AD Recycle Bin.
  • You can’t turn off the recycle bin unless you do a full-forest recovery.
  • Since retrieving deleted objects is only possible during the object’s lifespan, AD Recycle Bin cannot be considered an enterprise backup and recovery solution.
  • The AD Recycle Bin is not appropriate for recovering changed items.
  • When you enable the recycle bin, all the existing tombstone objects in the forest will be deleted.

The AD Recycle Bin enables administrators to recover directory objects quickly, without relying on System State backups. It is helpful when you mistakenly remove an object and need to recover it. The AD Recycle Bin is a vital tool in the day-to-day operations of an Active Directory domain. It is a lifesaver for the IT department, and the organization benefits greatly from reduced operational risk as a result of it.

Related posts
Active Directory Fundamentals

How to seize FSMO roles

Active Directory Fundamentals

How to transfer FSMO roles

Active Directory Fundamentals

Securing administrator accounts in Active Directory

Active Directory Fundamentals

How to install the PowerShell Active Directory module

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from IAMRoundup.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.