Problem solve Get help with specific problems with your technologies, process and projects.

When is a Recycle Bin Not a Recycle Bin? When it's in Active Directory

The Active Directory Recycle Bin isn't exactly the same as the one found on desktop operating systems. That doesn't mean it isn't useful.

If I say "Recycle Bin," you know what I'm talking about, right? It's the little icon on your desktop that you can use to recover accidentally-deleted files. You double-click it, it opens up, and the files appear.

When Microsoft shipped an Active Directory Recycle Bin (ADRB) in Windows Server 2008 R2, many expected that same kind of GUI-based, drag-and-drop functionality. Unfortunately, we didn't get it. The ADRB is a somewhat different creature and not really like the Explorer Recycle Bin you know and love. That said, it can still be a useful recovery tool, so long as you're aware of its capabilities and limitations.

Prior to the ADRB, you could still recover deleted items from AD. Doing so required quite a bit of knowledge, though: Typically, you'd have to take a domain controller offline, perform an authoritative restore of a backup to that domain controller along with other steps. If the object you wanted had been recently deleted, you could also use low-level tools like ADSIEdit to access the object and change its "tombstone" attribute so the object no longer showed as "deleted." Unfortunately, you would lose most of the attributes on the object, forcing you to re-create them from memory or go to a backup to retrieve an older version of the object. In other words, recovering individual deleted objects was painful.

The ADRB seeks to reduce, although not eliminate, that pain. First, you can only enable the ADRB in a domain that's running at the Windows Server 2008 R2 functional level; this means domain controllers must be on that version of Windows. Second, you have to explicitly enable the feature by running a command in Windows PowerShell.

Once enabled, all deleted directory objects are copied to a special "Deleted Objects" container, with all of their attributes intact. If you accidentally delete an object, you can simply copy it back from that special container. Doing so isn't as easy as dragging an object in Active Directory Users and Computers, though; you'll have to run more PowerShell commands .

There are some limitations. First, the ADRB can only restore entire deleted objects; it can't undo a change to a single attribute. Also, when restoring an entire organizational unit (OU), things get tricky: You have to first restore the container and then search for and restore objects that used to be stored in that container.

While the ADRB isn't a full-fledged recovery solution, it's certainly better than what came with prior versions of Windows. Most organizations will probably still want a third-party AD recovery tool that provides drag-and-drop operation, attribute-level recovery, and other more advanced and granular features.

You can follow on Twitter @WindowsTT.

Don Jones
is a Senior Partner and Principal Technologist for Concentrated Technology, LLC, a strategic consulting and analysis firm. Contact him through the company's Web site,

Dig Deeper on Windows administration tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.