How to Enable the Active Directory Recycle Bin on Windows Server 2012 R2

How to Enable the Active Directory Recycle Bin on Windows Server 2012 R2

The Active Directory Recycle Bin is a feature that allows administrators to restore accidentally deleted AD objects — including users, groups, computers, and OUs — without requiring a authoritative restore from backup or restarting in DSRM mode. Introduced in Windows Server 2008 R2, the Recycle Bin is significantly enhanced in Windows Server 2012 R2 with a graphical management interface in Active Directory Administrative Center (ADAC). Once enabled, deleted objects are preserved in a Deleted Objects container with all their attributes intact for a configurable period. This guide covers enabling, configuring, and using the AD Recycle Bin.

Prerequisites

The Active Directory Recycle Bin has the following requirements:

The forest functional level must be at least Windows Server 2008 R2. Once enabled, the Recycle Bin cannot be disabled — this is a one-way operation. You must be a member of Enterprise Admins to enable the feature. The ActiveDirectory module must be available.

Import-Module ActiveDirectory

# Check current forest functional level
(Get-ADForest).ForestMode

If the forest functional level is below Windows2008R2Forest, raise it first:

# Raise domain functional level first
Set-ADDomainMode -Identity "contoso.com" -DomainMode Windows2012R2Domain

# Then raise forest functional level
Set-ADForestMode -Identity "contoso.com" -ForestMode Windows2012R2Forest

Enabling the Active Directory Recycle Bin

The Recycle Bin can be enabled via PowerShell or the ADAC GUI. Using PowerShell:

# Enable the AD Recycle Bin for the forest
Enable-ADOptionalFeature `
    -Identity "Recycle Bin Feature" `
    -Scope ForestOrConfigurationSet `
    -Target "contoso.com" `
    -Confirm:$false

To enable via ADAC: Open Active Directory Administrative Center, click on the domain name in the left navigation pane, then in the Tasks pane on the right select “Enable Recycle Bin.” Click OK to confirm.

Verify the Recycle Bin is enabled:

Get-ADOptionalFeature -Filter {Name -eq "Recycle Bin Feature"} |
    Select-Object Name, EnabledScopes, RequiredForestMode

Understanding Tombstone and Deleted Object Lifetime

When the Recycle Bin is enabled, deleted objects go through two phases:

The first phase is the Recycled state (logically deleted). Objects remain in a recoverable state with all attributes preserved for the duration of the DeletedObjectLifetime (default 180 days for domains upgraded from pre-2003 schemas, or the TombstoneLifetime value). During this phase, the object is completely restorable including all group memberships and attributes.

The second phase is the Recycled state (physically deleted). After the DeletedObjectLifetime, the object transitions to a recycled state where most attributes are stripped and it becomes a tombstone. Objects in this state cannot be fully restored.

# Check the deleted object lifetime
(Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com" `
    -Properties msDS-DeletedObjectLifetime).'msDS-DeletedObjectLifetime'

# Check tombstone lifetime
(Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com" `
    -Properties tombstoneLifetime).tombstoneLifetime

# Set deleted object lifetime to 365 days
Set-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com" `
    -Replace @{'msDS-DeletedObjectLifetime' = 365}

Restoring Deleted Objects with PowerShell

Use the Restore-ADObject cmdlet to restore deleted objects. When restoring, you can optionally specify a new target OU:

# Find recently deleted objects
Get-ADObject -Filter {isDeleted -eq $true} `
    -IncludeDeletedObjects `
    -Properties Name, whenChanged, LastKnownParent |
    Select-Object Name, whenChanged, LastKnownParent |
    Sort-Object whenChanged -Descending |
    Select-Object -First 20

# Find a specific deleted user
Get-ADObject -Filter {isDeleted -eq $true -and Name -like "Jane Smith*"} `
    -IncludeDeletedObjects `
    -Properties * |
    Select-Object Name, DistinguishedName, WhenChanged, LastKnownParent

# Restore the deleted user to its original location
$deletedUser = Get-ADObject -Filter {isDeleted -eq $true -and Name -like "Jane Smith*"} `
    -IncludeDeletedObjects

Restore-ADObject -Identity $deletedUser.ObjectGUID `
    -TargetPath $deletedUser.LastKnownParent

# Restore to a different OU
Restore-ADObject -Identity $deletedUser.ObjectGUID `
    -TargetPath "OU=RestoredUsers,OU=Contoso,DC=contoso,DC=com" `
    -NewName "Jane Smith"

Restoring a Deleted OU and All Child Objects

Restoring a deleted OU requires restoring the OU first, then restoring child objects in the correct order:

# Find the deleted OU
$deletedOU = Get-ADObject -Filter {isDeleted -eq $true -and Name -eq "Finance"} `
    -IncludeDeletedObjects

# Restore the OU
Restore-ADObject -Identity $deletedOU.ObjectGUID

# Find all deleted objects that were in the OU
$childObjects = Get-ADObject -Filter {isDeleted -eq $true} `
    -IncludeDeletedObjects -Properties LastKnownParent |
    Where-Object {$_.LastKnownParent -like "*Finance*"}

# Restore each child object
foreach ($obj in $childObjects) {
    try {
        Restore-ADObject -Identity $obj.ObjectGUID -TargetPath $obj.LastKnownParent
        Write-Host "Restored: $($obj.Name)"
    } catch {
        Write-Warning "Failed to restore: $($obj.Name) - $($_.Exception.Message)"
    }
}

Using ADAC to Restore Objects

Active Directory Administrative Center provides a graphical interface for the Recycle Bin. Navigate to the domain in the left pane, then select “Deleted Objects” to see all recoverable objects. You can filter by object type or name, select one or multiple objects, and right-click to restore them to their original location or to a specified path. ADAC also shows the LastKnownParent and deletion timestamp for each object, helping identify the correct object when multiple objects with the same name exist.

Restoring Group Memberships

When a user is restored via the Recycle Bin, their group memberships are automatically preserved because the member attribute on the group (and the memberOf attribute on the user) are part of the object’s full attribute set. Verify after restoration:

# Verify group memberships were restored
Get-ADUser -Identity "jsmith" -Properties MemberOf |
    Select-Object -ExpandProperty MemberOf |
    Get-ADGroup |
    Select-Object Name

Summary

The Active Directory Recycle Bin on Windows Server 2012 R2 dramatically simplifies recovery from accidental object deletions, eliminating the need for authoritative restores in most scenarios. The feature must be enabled by an Enterprise Admin and cannot be disabled once activated. Objects remain fully restorable for the DeletedObjectLifetime period with all attributes and group memberships intact. Both PowerShell (Restore-ADObject) and the ADAC graphical interface provide flexible restoration options. Enabling the Recycle Bin should be one of the first post-deployment tasks in any Windows Server 2012 R2 AD environment.