Enable the Active Directory Recycle Bin in Windows Server 2012

How do I enable the Active Directory Recycle Bin in Windows Server 2012?

First introduced in Windows Server 2008 R2, the Active Directory (AD) recycle bin builds on AD’s tombstoning feature to allow administrators to easily restore deleted directory objects. Prior to Windows Server 2012, the recycle bin was accessible only from the command line using PowerShell. Windows Server 2012 contains a graphical user interface for working with and enabling the recycle bin as part of the Active Directory Administrative Center.

If managing users and computers on Active Directory has become a burden, let SolarWinds free trio of AD Admin Tools provide you relief! With the inactive user and computer account removal tools, and the user import tool, you can manage and remove computers and users from Active Directory, and you can add users in bulk. These tools run on current Windows® versions, and are even certified with Windows 7 through a strategic relationship with Microsoft®!

Before following this procedure, it’s important to understand that once enabled, the recycle bin can’t be disabled. You’ll need to make sure that your forest is running at the Windows Server 2008 R2 forest function level or higher, that you have at least one Windows Server 2012 domain controller (DC) in the domain, and that all other DCs in the domain are running Windows Server 2008 R2 or higher.

Enabling the Active Directory Recycle Bin

Log on to a domain controller or a machine with the Remote Server Administration Tools (RSAT) installed as an enterprise administrator.

Open the Active Directory Administrative Center from the Start screen (or Start menu if not using Windows 8 or Windows Server 2012). Alternatively, the AD Administrative Center can be opened from the Tools menu in Server Manager.

In the left pane of the Active Directory Administrative Center, select the Active Directory domain that you want to connect to.

Right click the AD domain in the left pane and select Raise the forest functional level.

The dialog will show the current forest functional level. If the forest function level is not at least Windows Server 2008 R2, you will need to raise the level to Windows Server 2008 R2 or higher. This process is irreversible. In this case, my forest is already at the Windows Server 2012 forest function level, so I can click Cancel in the dialog and proceed to enable the AD recycle bin.

In the Tasks pane of the Active Directory Administrative Center, click Enable Recycle Bin.

 

Click OK in the confirmation dialog. You’ll now see another dialog asking you to refresh the Administrative Center. Click

OK in the dialog. In the Administrative Center, click on the Refresh icon in the top right corner.

Any AD objects that you delete will now be moved to the Deleted Objects container.

Setup Active Directory Recycle Bin with Windows PowerShell

The first challenge you will face is that Microsoft did not provide any sort of GUI interface for this feature. You will have to use Windows PowerShell and the Active Directory module. You don’t have to run these commands on a domain controller; I prefer and recommend using Windows 7 and Remote Server Administration Tools (RSAT), which have been configured to manage Active Directory with PowerShell.

The first step is to import the module.

PS C:\> Import-Module ActiveDirectory

The Recycle Bin is part of a concept Microsoft calls AD Optional Features. As you might expect, there is a cmdlet to use.

PS C:\> Get-ADOptionalFeature -Filter *

DistinguishedName : CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=GLOBOMANTICS,DC=localEnabledScopes : {}FeatureGUID : 766ddcd8-acd0-445e-f3b9-a7f9b6744f2aFeatureScope : {ForestOrConfigurationSet}IsDisableable : FalseName : Recycle Bin FeatureObjectClass : msDS-OptionalFeatureObjectGUID : 433466d6-458b-48e0-bdd1-4e815d6b7a5aRequiredDomainMode :RequiredForestMode : Windows2008R2Forest

Actually, this is the only AD Optional Feature Microsoft has released. As you can see from the result, in order to use this feature, your Active Directory forest must be at the Windows 2008 R2 level.

To turn on optional features, we will use the Enable-ADOptionalFeature cmdlet. This cmdlet supports –Whatif so you can give yourself a sanity check, which is important, because you cannot undo or disable the AD Recycle Bin. There is a Disable-ADOptionalFeature cmdlet, but the Recycle Bin feature can’t be disabled.

To enable it, you need to specify a Scope, which for now is ForestOrConfigurationSet and a Target. This is the domain where you want to use this feature.

PS C:\> Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "globomantics.local" -whatif

Figure 1 shows the result:

Figure 1 What If I Enable the Recycle Bin?

If I’m ready, I can re-run the command without –Whatif. You’ll be prompted for confirmation, but that is it. No reboot is required. If you have multiple domains, you’ll need to run this command for each. Once run, you should see a property.

Conclusion

Once this change has replicated to all your domain controllers, you are ready to begin using it, assuming you delete some objects after this feature has been enabled. We’ll look at that next time, or if you are in a hurry or want to learn more about using PowerShell with AD, take a look at Managing Active Directory with Windows PowerShell: TFM 2nd Ed. (SAPIEN Press 2010).