Windows 2008 R2 and the Active Directory Recycle Bin

Posted on October 13, 2010

How many of you have deleted the wrong user, group or computer and realized it was the wrong one. Although its rare, the one time you do tends to be such a pain in the butt. Enter Windows 2008 R2 and the AD recycling bin. Most people are still un-aware of this feature as its not integrated into any AD GUI tools, it must be setup and used from the AD power shell.

There are a few requirements before setting it up:

  • Your domain must be set to a Windows 2008 R2 functional level
  • Your forest must be set to a Windows 2008 R2 functional level
  • You must use ADSIedit to identity the active directory distinguished name to your recycling bin

Upgrading to the Windows 2008 R2 domain functional level:

Start -> Administrative Tools -> Active Directory Domains & Trusts-> Right Click "domain.com" -> Raise Domain Functional Level

READ THE WARNINGS and do your research to ensure you can upgrade to this level without causing issues in your domain.
Allow any updates to propagate for at least 15 minutes.

Upgrading to the Windows 2008 R2 forest functional level:

Start -> Administrative Tools -> Active Directory Domains & Trusts-> Right Click "Active Directory Domains and Trusts" -> Raise Forest Functional Level

READ THE WARNINGS and do your research to ensure you can upgrade to this level without causing issues in your forest.
Allow any updates to propagate for at least 15 minutes.

Identifying your recycling bin distinguished name:

Start -> ADSIEDIT -> Connect To -> Select a well known naming context -> Configuration -> Configuration [server.domain.ca] -> Configuration -> Services -> Windows NT -> Directory Service -> Optional Features -> Double Click Recycle Bin Feature in right window -> double click DistinguishedName -> Copy the Value:

Turning the Recycling Bin On:

Start -> Administrative Tools -> Active Directory Power Shell

Enable-ADOptionalFeature -identity '<distinguishedName>' -scope ForestOrConfigurationSet -Target '<domain>'

Example:

Enable-ADOptionalFeature -identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com' -scope ForestOrConfigurationSet -Target 'domain.com'

Once this completes your recycling bin is now enabled.