Active Directory Recycle Bin (Finally!)
No More Tears
That phrase is no longer just for baby shampoo. Remember back in the old days (2008) when you had to bring down an Active Directory domain controller just to restore a deleted user or group, then mark it authoritative? First, it's not something you do that often so you always have to review your nothes each time. Second, unless you had a DRAC card installed you would have to be at the console in order to perform the operation. Third, it was just a pain in the rear to reverse Active Directory changes.
Then came along this reanimation procedure that was supposed to make life much easier. Sigh. Yeah that was lots of fun. Of course we can not forget how the directory services teams from " other" vendors laughed at us because of all of the trouble we had to go through to get that deleted object back. Well, say hello to my little friend.
Windows 2008 R2 to the Rescue
Windows 2008 R2 adds a long awaited feature to Active Directory. The Active Directory recycle bin. It is exactly what it sounds like. When an object is deleted from Active Directory it is now placed in a hidden container called deletedobjects. This same container existed in all previous versons of Active Directory but deleted objects were stripped of most of their attributes making them almost useless when reanimated. The benefit of reanimation is the ability to restore an object without taking the domain contoller offline. However, even after an object was reanimated a great deal of work went into completing the task such as repopulating group membership information. In R2 all attributes are retained when the object is deleted. Now when an object is reanimated it is fully restored to its original state. This greatly simplifies the process and allows us to perform restores in a fraction of the time. Unless of course you follow this procedure. Fortunately, there is a much simpler method. But first we need to discuss the requirements.
Windows 2008 R2 Forest and Domain
I'm sure you saw this coming. Yes, you will have to ensure all of your domain controllers run Windows 2008 R2 and raise the forest and domain functional levels to R2 mode. If you are reading this article you have probably been around Active Directory for awhile so we won't go into details on upgrading your domain controllers or raising the functional levels. Just remember of course to update the schema with adprep and make sure you don't have a need for pre-R2 domain controllers before raising the functional levels.
Enable the Recycle Bin
Once the functional levels are raised, enabling the recycle bin is pretty easy. Follow these quick steps:
1. Navigate to Administraive Tools and launch Active Directory Module for Windows Powershell in elevated mode.
2. At the Powershell prompt type the following (replace "lucid" & "local" with your own forest information): Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=lucid,DC=local' -Scope ForestOrConfigurationSet -Target 'lucid.local'.
3. You will be asked to confirm the operation. Select Y to confirm.
If you receive an error or it appears the change did not take effect try rebooting the domain controller. I ran into this problem in one of my tests and only a reboot solved it. To verify the changes run the following command: Get-ADOptionalFeature -filter {name -like "*"}. You should receive the following output:
Restoring (Undeleting) an Object
Now to the fun part. Restoring an object is total cake if you go about it the right way. Your best option is to download Object Restore for Active Directory from Quest Software, which is a freeware tool. There are other freeware tools out there but I personally like this one because of its similarity to the Microsoft MMC as well as its simplicity.
So here's our scenario. We have the below group with its members intact.
Somehow you managed to delete this group by accident despite the various safeguards and warning messages in place. Perhaps you were texting while working or something. Don't panic. Just launch the Quest tool and follow these easy steps:
1. Right click Quest Object Restore for Active Directory and select Connect To...
2. Click the Browse button and select your domain. Then click OK.
3. Select your domain to display the deleted objects in your domain. Right click the deleted object and select Restore.
4. Cllick OK when prompted.
That's it! When you launch Active Directory Users and Computers your deleted group will be back and will have retained all of its members. Now you can go back to texting. Just be careful next time.