The Active Directory (AD) Recycle Bin is a feature in Microsoft Active Directory that allows administrators to recover accidentally deleted AD objects, such as users, groups, or organizational units, without requiring a full system restore or restarting domain controllers. This feature is available in Windows Server 2008 R2 and later versions.
Key Features:
1. Recovery Without Backup: Enables the restoration of deleted objects directly from the AD database, preserving their attributes and group memberships.
2. Preserves Metadata: When an object is restored, its attributes (e.g., passwords, permissions, and group memberships) are also recovered.
3. Deactivated by Default: Administrators must enable the feature manually.
How It Works:
• When an AD object is deleted, it is marked as a “tombstone” and retained for a specific tombstone lifetime.
• With the AD Recycle Bin enabled, the object is moved to a special “Deleted Objects” container and can be restored during the deleted object lifetime (default is 180 days in Windows Server 2012 and later).
Steps to Enable AD Recycle Bin:
1. Open Active Directory Administrative Center (ADAC).
2. Navigate to the domain where you want to enable the Recycle Bin.
3. Right-click the domain and select Enable Recycle Bin.
4. Confirm the action (this cannot be undone).
Restoring Deleted Objects:
You can use tools like:
• Active Directory Administrative Center: Select and restore objects from the “Deleted Objects” container.
• PowerShell: Use the Restore-ADObject cmdlet.
Example PowerShell Command:
Restore-ADObject -Identity <ObjectGUID>
The AD Recycle Bin helps improve efficiency by providing quick recovery options, eliminating the need for time-consuming backups or authoritative restores.