How to Set Up Active Directory Recycle Bin on Windows Server 2019

March 19, 2026
Tutorials
Comment off

Introduction to the Active Directory Recycle Bin

Accidentally deleted Active Directory objects—users, groups, computers, and OUs—have historically been a serious administrative headache. Before Windows Server 2008 R2, recovering a deleted object required either restoring from backup or performing an authoritative restore of Active Directory, both of which are time-consuming operations that can impact production services. The Active Directory Recycle Bin feature, available on Windows Server 2019 domains, allows you to restore deleted objects with all their attributes intact using a simple PowerShell command or graphical interface.

This tutorial covers enabling the Recycle Bin, how deleted objects are preserved, restoring deleted objects using PowerShell and the Active Directory Administrative Center, and important limitations to understand.

Prerequisites and Requirements

The Active Directory Recycle Bin requires a forest functional level of Windows Server 2008 R2 or higher. Windows Server 2019 domains running at forest functional level 2012 R2 or 2016 already satisfy this requirement. Verify your current forest functional level before enabling.

Get-ADForest | Select-Object Name, ForestMode

Once enabled, the Active Directory Recycle Bin cannot be disabled. This is a one-way operation. Additionally, enabling it requires replication to all domain controllers before deleted objects begin being preserved—allow time for replication to complete across all sites before testing.

Enabling the Active Directory Recycle Bin

Enable the Recycle Bin using the Enable-ADOptionalFeature cmdlet. You must be a member of Enterprise Admins to run this command. The Scope must be set to ForestOrConfigurationSet and the Target must be your forest root domain.

Enable-ADOptionalFeature `
    -Identity 'Recycle Bin Feature' `
    -Scope ForestOrConfigurationSet `
    -Target 'yourdomain.com' `
    -Confirm:$false

After running this command, you will see a confirmation message. The feature replicates to all domain controllers automatically. On large environments with many sites, allow full replication to complete (check with repadmin /replsummary) before depending on the Recycle Bin for recoveries.

Enabling Via Active Directory Administrative Center

You can also enable the Recycle Bin through the graphical Active Directory Administrative Center. Open ADAC with dsac.exe, right-click your domain name in the left navigation pane, and select Enable Recycle Bin. A dialog confirms the action and warns that it cannot be reversed.

dsac.exe

Verifying the Recycle Bin is Enabled

Confirm the feature is enabled by querying the optional features of the forest. Look for the Recycle Bin Feature in the output and verify it shows as enabled.

Get-ADOptionalFeature -Filter * | 
    Select-Object Name, EnabledScopes | 
    Where-Object { $_.Name -like "*Recycle*" }

How the Recycle Bin Works

When an object is deleted with the Recycle Bin enabled, it moves through two stages. First, it enters the Deleted Objects container in a logically deleted state. During this phase (controlled by the msDS-deletedObjectLifetime attribute, default 180 days), the object retains all its original attributes and can be fully restored. After this period, the object moves to a recycled state where most attributes are stripped. Finally, after the tombstone lifetime (also 180 days by default), the object is permanently removed.

The key advantage is that during the logically deleted phase, group memberships, password, SID, and all other attributes are preserved—something that was not possible with the old tombstone-only mechanism.

Viewing Deleted Objects

Use Get-ADObject with the IncludeDeletedObjects switch to see deleted objects in Active Directory. Filter by object class or name to find specific deleted objects.

Get-ADObject -Filter {Deleted -eq $true -and ObjectClass -eq "user"} `
    -IncludeDeletedObjects `
    -Properties * | 
    Select-Object Name, DistinguishedName, WhenDeleted, LastKnownParent

To search for a specific deleted user by display name:

Get-ADObject -Filter {Deleted -eq $true -and DisplayName -like "*John Smith*"} `
    -IncludeDeletedObjects `
    -Properties DisplayName, WhenDeleted, LastKnownParent

Restoring a Deleted User Account

Restore a deleted object using Restore-ADObject. The most reliable way is to first find the exact Distinguished Name of the deleted object (it will have a mangled DN including the deletion GUID), then pipe it to Restore-ADObject.

Get-ADObject -Filter {Deleted -eq $true -and SamAccountName -eq "jsmith"} `
    -IncludeDeletedObjects | 
    Restore-ADObject

The object is restored to its last known parent OU with all attributes intact, including group memberships, password hash (the user can log in immediately with their old password), profile settings, and SID. No re-provisioning is necessary.

Restoring to a Different Location

If the original OU has also been deleted, or if you want to restore the object to a different container, use the -TargetPath parameter to specify the destination OU Distinguished Name.

Get-ADObject -Filter {Deleted -eq $true -and SamAccountName -eq "jsmith"} `
    -IncludeDeletedObjects | 
    Restore-ADObject -TargetPath "OU=Users,OU=HQ,DC=yourdomain,DC=com"

Restoring a Deleted OU and Its Contents

Restoring an OU that contained many objects requires a specific order: restore the parent OU first, then restore the child objects. If you restore child objects before the parent OU exists, they restore to the LostAndFound container. The following script restores an entire OU hierarchy.

# First restore the OU
Get-ADObject -Filter {Deleted -eq $true -and Name -eq "Marketing"} `
    -IncludeDeletedObjects | 
    Restore-ADObject

# Then restore all objects that were in that OU
Get-ADObject -Filter {Deleted -eq $true} `
    -IncludeDeletedObjects `
    -Properties LastKnownParent | 
    Where-Object { $_.LastKnownParent -like "*OU=Marketing*" } | 
    Restore-ADObject

Restoring via Active Directory Administrative Center

ADAC provides a graphical interface for browsing and restoring deleted objects. Open ADAC, navigate to your domain, and in the left pane click the Deleted Objects node. You will see a list of all objects in the deleted objects container. Select an object and click Restore in the Tasks pane to restore it to its original location, or Restore To to choose a different destination OU.

Bulk Restoration Example

If a large number of users were accidentally deleted—perhaps an entire department’s OU was removed—restore them all in a single pipeline. This script restores all user objects deleted within the last hour.

$cutoff = (Get-Date).AddHours(-1)
Get-ADObject -Filter {Deleted -eq $true -and ObjectClass -eq "user" -and WhenChanged -gt $cutoff} `
    -IncludeDeletedObjects `
    -Properties WhenChanged | 
    Restore-ADObject

Adjusting the Deleted Object Lifetime

The default deleted object lifetime of 180 days can be adjusted per directory partition. Shorter lifetimes reduce database bloat but reduce your recovery window. Modify the msDS-DeletedObjectLifetime attribute on the directory service object in the configuration naming context.

Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" `
    -Partition "CN=Configuration,DC=yourdomain,DC=com" `
    -Replace @{'msDS-DeletedObjectLifetime' = 365}

Conclusion

The Active Directory Recycle Bin is an essential feature for any production Active Directory environment running Windows Server 2019. Enabling it takes one command and provides a safety net against accidental deletion that previously required complex and disruptive recovery procedures. Once enabled, deleted objects—complete with all their attributes and group memberships—can be restored in seconds. Enable this feature immediately on any new domain deployment and verify it is enabled on all existing domains.