How to Set Up Windows Server 2016 Active Directory Recycle Bin
Accidentally deleting Active Directory objects — users, groups, computers, or even OUs — is one of the most stressful events in AD administration. Before Windows Server 2008 R2, recovering deleted objects was complex, time-consuming, and often incomplete, requiring authoritative restores from backup or the use of tombstone reanimation, which did not preserve all attribute values. The Active Directory Recycle Bin, available since Windows Server 2008 R2 and fully supported in Windows Server 2016, allows administrators to restore deleted objects with all their attributes intact in seconds, without requiring any Domain Controller restart or downtime.
How the Recycle Bin Works
When the Recycle Bin is enabled, deleted objects go through two stages before being permanently purged. In the first stage (Deleted state), the object retains all its attributes and can be fully restored. Objects remain in this state for the Deleted Object Lifetime period (180 days by default). In the second stage (Recycled state), most attributes are stripped and the object can no longer be restored through the Recycle Bin. After the Recycled Lifetime expires, the object is permanently removed. When the Recycle Bin is NOT enabled, objects immediately enter the Tombstone state and most attributes are stripped immediately upon deletion.
Prerequisites
The Active Directory Recycle Bin requires the domain functional level AND the forest functional level to both be at Windows Server 2008 R2 or higher. In Windows Server 2016, if you are creating a new forest or have already raised functional levels, this requirement is easily met. The Recycle Bin feature, once enabled, cannot be disabled — plan accordingly.
Check the current forest and domain functional levels:
Get-ADForest | Select-Object ForestMode
Get-ADDomain | Select-Object DomainModeEnabling the Active Directory Recycle Bin
The Recycle Bin can be enabled through Active Directory Administrative Center (ADAC) or PowerShell. Using ADAC is the most straightforward method. Open ADAC (dsac.exe), click your domain name in the left panel, and in the Tasks pane on the right, click Enable Recycle Bin. A confirmation dialog warns that this action is irreversible. Click OK. A second message confirms that you should refresh ADAC and wait for replication to complete before using the feature.
Using PowerShell to enable the Recycle Bin:
Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "corp.local" -Confirm:$falseVerify that the feature was enabled successfully:
Get-ADOptionalFeature -Filter {Name -eq "Recycle Bin Feature"} | Select-Object Name, EnabledScopesVerifying Replication of the Feature
After enabling the Recycle Bin, the change must replicate to all Domain Controllers before the feature is fully operational across the domain. Force replication and then verify:
repadmin /syncall /AdeP
Get-ADDomainController -Filter * | ForEach-Object {
Invoke-Command -ComputerName $_.Name -ScriptBlock {
Get-ADOptionalFeature -Filter {Name -eq "Recycle Bin Feature"} | Select-Object EnabledScopes
}
}Restoring a Deleted Object via ADAC
Open Active Directory Administrative Center and click your domain in the left panel. In the middle pane, find and click the Deleted Objects container. This container shows all recently deleted objects. Select the object(s) to restore. In the Tasks pane, click Restore to return the object to its original location, or click Restore To and specify a different destination OU. The restored object will have all its original attributes, including group memberships, email addresses, and profile paths.
Restoring a Deleted Object via PowerShell
To find and restore a recently deleted user:
Get-ADObject -Filter {displayName -eq "John Smith"} -IncludeDeletedObjects | Restore-ADObjectTo restore multiple deleted objects matching a pattern:
Get-ADObject -Filter {isDeleted -eq $true -and name -like "John*"} -IncludeDeletedObjects | Restore-ADObjectTo restore a deleted object to a specific OU rather than its original location:
Get-ADObject -Filter {displayName -eq "John Smith"} -IncludeDeletedObjects | Restore-ADObject -TargetPath "OU=RestoredObjects,DC=corp,DC=local"Restoring a Deleted OU
Restoring a deleted OU is slightly more complex because the child objects must be restored in the correct order — the OU first, then its contents. PowerShell handles this by restoring objects sorted by their original distinguished name length (shorter = higher in the tree = restore first):
Get-ADObject -Filter {isDeleted -eq $true -and DistinguishedName -like "*OU=OldDepartment*"} `
-IncludeDeletedObjects -Properties * | Sort-Object {$_.DistinguishedName.Length} | Restore-ADObjectViewing the Deleted Objects Container
To see all objects currently in the Recycle Bin (deleted but restorable):
Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects -Properties DisplayName, WhenChanged, LastKnownParent | Select-Object Name, DisplayName, ObjectClass, WhenChanged, LastKnownParent | Format-Table -AutoSizeConfiguring the Deleted Object Lifetime
The default deleted object lifetime is 180 days. If your backup retention period is shorter, you may want to reduce this to match. To view and modify the tombstone lifetime:
$configNC = (Get-ADRootDSE).configurationNamingContext
$tombstone = Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,$configNC" -Properties tombstoneLifetime
$tombstone.tombstoneLifetime
Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,$configNC" -Replace @{tombstoneLifetime = 180}Best Practices
Enable the Recycle Bin in every Windows Server 2016 domain — there is no downside except that the feature is permanent. Combine Recycle Bin with accidental deletion protection on OUs for defense in depth. Train help desk staff on how to use ADAC to restore objects so they can handle routine restoration requests without escalating. Regularly test the restoration process to ensure it works as expected. Keep the tombstone lifetime aligned with your backup and disaster recovery policies. Document the Recycle Bin status in your environment runbook.
The Active Directory Recycle Bin is one of the most valuable features in Windows Server 2016. Enabling it takes under a minute and can save hours of recovery work when an accidental deletion occurs.
