Enable Windows Server 2016 Active Directory Recycle Bin

In our post, we talked about the Active Directory Administrative Center in Windows Server 2016.  ADAC is a great way to interface with Active Directory with a task oriented GUI interface.  One of the things we can do from the ADAC interface is turn on the Active Directory recycle bin feature for Active Directory. Active Directory Recycle Bin makes it much easier to recover accidentally deleted objects over legacy reanimation of tombstoned objects.  Let’s take a look at how to enable Windows Server 2016 Active Directory Recycle Bin using ADAC as well as PowerShell.

Enable Windows Server 2016 Active Directory Recycle Bin

Before thinking about enabling the Active Directory Recycle Bin feature, you need to be a member of the Enterprise Admins group to successfully enable the option.  Let’s look first at doing this using the Active Directory Administrative Center or ADAC to enable the recycle bin.  To launch ADAC, simply type dsac.exe.  Notice over in the right hand column the Enable Recycle Bin link.
recycle16_01 Enable Windows Server 2016 Active Directory Recycle Bin

Once you click the Enable Recycle Bin link, you will see the warning about the gravity of what you are going to do.  This operation is irreversible, so you can expect to see such a warning.  However, the AD recycle bin is definitely a worth feature to enable.
recycle16_02 Enable Windows Server 2016 Active Directory Recycle Bin
After enabling the feature, you will see the notice that the process to enable the feature has begun.  Replication of course will need to replicate this to all the DCs in the forest.
recycle16_02b Enable Windows Server 2016 Active Directory Recycle Bin
After you refresh the ADAC interface, you will now see the Enable Recycle Bin link is greyed out.
recycle16_02c Enable Windows Server 2016 Active Directory Recycle Bin

Using PowerShell to Enable

Using PowerShell to enable the Active Directory Recycle Bin is equally as painless.  You use the following commandlet: 
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=testlab,DC=local' –Scope ForestOrConfigurationSet –Target 'testlab.local'
You also receive the notice in PowerShell to confirm the action.
recycle16_03 Enable Windows Server 2016 Active Directory Recycle Bin

Testing

I have created a testuser account in a TestOU container.  Let’s simulate an accidental deletion.  As you can see, I am about to delete the testuser account.
recycle16_04 Enable Windows Server 2016 Active Directory Recycle Bin
It is now gone!
recycle16_04b Enable Windows Server 2016 Active Directory Recycle Bin

Restoring Deleted Object

To restore the object, we need to be a member of at least the Domain Admins group.  To restore a deleted object, we again utilize PowerShell.  You can see the deleted objects by running the following commandlet:
get-adobject -filter {displayname -eq "testuser"} -includedeletedobjects
As expected, I see the testuser account.

recycle16_05 Enable Windows Server 2016 Active Directory Recycle Bin
To restore the object we can simply run the commandlet:
get-adobject -filter {displayname -eq "testuser"} -includedeletedobjects | Restore-ADObject
The object is restored in PowerShell with little fanfare.
recycle16_06 Enable Windows Server 2016 Active Directory Recycle Bin
A quick refresh of the ADUC interface once again shows the testuser object.
recycle16_07 Enable Windows Server 2016 Active Directory Recycle Bin

Thoughts

The process to enable Windows Server 2016 Active Directory Recycle Bin is very straightforward.  In this example we took a look at using either ADAC or PowerShell to enable the feature.  Both methods are easy however, some may prefer the graphical interface over the PowerShell commandline.

Post a Comment

0 Comments