One of the things I’ve really learned to appreciate about Windows Server 2012 is the Active Directory Recycle Bin feature. Although, it was first introduced in Windows Server 2008 R2, the feature has been improved and made easier to work with in Windows Server 2012.
As an Active Directory administrator, from time to time, we have to restore AD objects such as users, groups, computers, and so on. Prior to the introduction of Active Directory 2008/2012, it wasn’t an easy task to take on, especially for someone who’s not Active Directory savvy. Some of the restore options included:
- Authoritative Restore
- Non-Authoritative Restore
- Granular Restores using third party backup tools such as NetBackup
One restore method that is not support (including Windows 2008 and 2008 R2) is creating and then reverting to snapshots. This was due to the possibility of suffering from a USN rollback if you were to revert to snapshot. With Windows Server 2012, we now have support for taking snapshots and safely reverting in case of a disaster without suffering from USN rollback (we’ll cover this in another post).
As mentioned above, AD recycle bin allows us to restore the items that we accidentally delete by going to the deleted items folder within Active Directory and simply right clicking and selecting restore. The restore will restore the object with all the correct groups as if nothing ever happened, and like support for snapshots, we first need to enable this feature.
One requirement that you have to meet is the Domain and Forest functional level, it has to be at the very least at Windows Server 2008 R2 or else you won’t be able to use the feature. This also means that if you’re presently in a mixed Active Directory Environment, i.e Windows 2003 | 2012, 2003 | 2008 R2, or 2008 | 2008 R2 then you won’t be able to use this features because you cannot raise your domain/forest functional level to 2008 R2 or higher due to having older DC’s in your domain.
ENABLE ACTIVE DIRECTORY RECYCLE BIN
- The first thing we’ll need to do is open the ADAC (Active Directory Administrative Center)
- Next, we’ll need to navigate to our domain and on the right hand side, click on Enable Recycle Bin (In my case its greyed out because I already enabled it)
We now just have to wait for it to replicate to all the other Domain Controllers in the domain and that’s it. Now you might be asking yourself, well where do I go to restore the objects? and the answer is you’ll now see a new container called Deleted Objects
Now, let’s say I accidentally deleted a user in AD and now need to get that user object restored, what do I do? One thing I’d like to point out, is that you’ll only see the Deleted Objects container in ADAC, you won’t see in ADUC (Active Directory Users and Computers). I know that most of us use ADUC and not ADAC so you might be curious as to where the folder is located if you do try and restore the object using ADUC, you won’t be able to, you’ll need ADAC for that.
To restore is quite simple, navigate to the Deleted Objects container within ADAC and right click on the object that you want to restore, in this case it’s a test user I created earlier for demonstration purposes and select Restore
This will restore the object to its original location with all the settings intact such as description, membership, SID, attributes, etc. The second option Restore To… Allows us to chose if we want to restore the object to an alternate location. Locate Parent option allows us to locate the OU where this object was originally located.
If you ask me or anyone for that matter, this would be one of the first features that I’d enable if I were to upgrade to 2012 or deploy a brand new AD environment from scratch. To me, there’s nothing more annoying than having to do a restore at the end of the day because myself or someone else accidentally deleted an object. With the recycle bin, the object gets restored within seconds.