When is a Recycle Bin Not a Recycle Bin? When it's in Active Directory

If I say "Recycle Bin," you know what I'm talking about, right? It's the little icon on your desktop that you can use to recover accidentally-deleted files. You double-click it, it opens up, and the files appear.

When Microsoft shipped an Active Directory Recycle Bin

Requires Free Membership to View

(ADRB) in Windows Server 2008 R2, many expected that same kind of GUI-based, drag-and-drop functionality. Unfortunately, we didn't get it. The ADRB is a somewhat different creature and not really like the Explorer Recycle Bin you know and love. That said, it can still be a useful recovery tool, so long as you're aware of its capabilities and limitations.

Prior to the ADRB, you could still recover deleted items from AD. Doing so required quite a bit of knowledge, though: Typically, you'd have to take a domain controller offline, perform an authoritative restore of a backup to that domain controller along with other steps. If the object you wanted had been recently deleted, you could also use low-level tools like ADSIEdit to access the object and change its "tombstone" attribute so the object no longer showed as "deleted." Unfortunately, you would lose most of the attributes on the object, forcing you to re-create them from memory or go to a backup to retrieve an older version of the object. In other words, recovering individual deleted objects was painful.

The ADRB seeks to reduce, although not eliminate, that pain. First, you can only enable the ADRB in a domain that's running at the Windows Server 2008 R2 functional level; this means domain controllers must be on that version of Windows. Second, you have to explicitly enable the feature by running a command in Windows PowerShell.

Once enabled, all deleted directory objects are copied to a special "Deleted Objects" container, with all of their attributes intact. If you accidentally delete an object, you can simply copy it back from that special container. Doing so isn't as easy as dragging an object in Active Directory Users and Computers, though; you'll have to run more PowerShell commands .

There are some limitations. First, the ADRB can only restore entire deleted objects; it can't undo a change to a single attribute. Also, when restoring an entire organizational unit (OU), things get tricky: You have to first restore the container and then search for and restore objects that used to be stored in that container.

While the ADRB isn't a full-fledged recovery solution, it's certainly better than what came with prior versions of Windows. Most organizations will probably still want a third-party AD recovery tool that provides drag-and-drop operation, attribute-level recovery, and other more advanced and granular features.

You can follow SearchWindowsServer.com on Twitter @WindowsTT.

Don Jones
is a Senior Partner and Principal Technologist for Concentrated Technology, LLC, a strategic consulting and analysis firm. Contact him through the company's Web site, http://ConcentratedTech.com.

This was first published in July 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.