Traditionally, the Active Directory Recycle Bin is enabled by typing in a command similar to the one below in PowerShell.
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’
It is no secrete that I am a big PowerShell fan, but let’s not forget to work smarter, not harder. If you have a Windows 8 client available to you, you can manage the AD Recycle Bin graphically even with only Windows Server 2008 R2 domain controllers. This is because the Active Directory Administrative Center in Windows 8 gives us the ability to graphically manage the AD Recycle bin.
Once you install RSAT for Windows 8 on you client, open the Administrative Tools.
Next, open the Active Directory Administrative Center.
Select your Domain
The AD Recycle Bin requires that both your domain and forest functional levels are at least Windows Server 2008 R2. In the Tasks pane of the AD Administrative Center, click Raise the domain functional level.
Take note of the warning and ensure Windows Server 2008 R2 is selected from the drop down box. Click OK.
Click OK at the next warning.
If all went well, you will see this information message. Click OK
Allow replication to finish to all domain controllers. If this is a multi domain environment, then you will need to raise the domain functional level of all of the domains in your forest before you can proceed onto the next step.
In the AD Administrative Center, click Raise the forest functional level.
The warnings are similar to when you raised the domain functional level. Click OK 3 times. You are now able to enable the AD Recycle Bin.
Click the Refresh button in the AD Administrative Center. This will change the Enable Recycle Bin link to allow you to click on it.
Click on Enable Recycle Bin
Click OK twice.
The AD Recycle Bin is now active on your network. Remember, you cannot use it to recover objects that have been deleted prior to turning on the AD Recycle Bin. If you click Refresh once again, you will notice a new container, Deleted Objects. You will like this container.
Recovering an Object from the Active Directory Recycle Bin
First let’s look at the old way of recovering objects from the AD Recycle Bin. While at work, you just realized that a user account that we deleted last week for a user named Zak Siblisk needs to be recovered. To do this in Server 2008 R2 or Windows 7, we would have to open a PowerShell session that has access to the Active Directory module for PowerShell.
Next we would have to locate the user object:
Get-ADObject –Filter ‘Name –like “Zak*”’ –IncludeDeletedObjects
We can see that the object is in fact deleted. Let’s recover it.
Oops. Looks like the parent container that the object we stored in is also deleted. We need to discover what this parent object is and recover it first.
By exposing the LastKnownParent property of Zak’s user object, we can see that we first need to recover an organizational unit called OU1.
No errors means that it is restored. Now go ahead and restore Zak’s account.
Once again, no error means that Zak’s account is back. Take a look at the AD Administrative Center to confirm.
This took a lot of effort and we also had to recover two objects. now let’s do this graphically. In the AD Administrative Center, expand your domain and select Deleted Objects.
Notice that both objects are there. (I told you that you would like this container) We can, however, skip restoring OU1. Right click Zak’s account.
Notice that we have the option to Restore, or the option to Restore To… Select Restore To…
Browse to the OU that you want to restore the account to.
Click OK.
The account is now restored, but this time to a new location.
Even if you are not using any Windows Server 2012 Domain Controllers in your environment, you can still benefit from the Active Directory Administrative Center from the Windows 8 Remote Server Administration Tools. Give it a try.
Comments