Security Tutorials

Keeping Cyber Security Simple

Active Directory Recycle Bin

Active Directory Recycle Bin

Anyone whos worked with Active Directory knows that you need to be 100% certain before deleting any object in AD as it’s a right pain having to recover deleted items. That’s where the Active Directory Recycle Bin comes in; however, there is one caveat in that you need to have the Active Directory recycle bin enabled before any item is deleted. So, If you are here looking for a quick fix because you have inadvertently deleted bob from HR’s user account and Active Directory Recycle Bin is not already enabled you will need to go and google Nonauthoritative Restore of Active Directory and pray to those backup gods that your Backups have been working.

When the Active Directory Recycle bin is enabled, deleted Active Directory objects, instead of being removed from Active Directory completely get moved into a Deleted Objects container and the attribute “isDeleted” is set on the Object.

This deleted object can then be recovered at any point up to 180 days by default after the item was originally deleted. When the deleted object’s Lifetime has exceeded an “isRecycled” attribute is set to True on the object and it can no longer be restored.

Once the isRecycled attribute is set, the object will now be classed as deleted. However, it will remain in Deleted Objects Container until the Active Directory garbage collection runs its next online defrag.

The diagram below from Microsoft shows the Active Directory Recycle Bin workflow.

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-ad-recycle-bin-understanding-implementing-best-practices-and/ba-p/396944

Now If you want to follow along with this and have not yet got an active Directory lab setup yet take a look at my Creating an Active Directory Home Lab tutorial.

Contents

How Do You Check if Active Directory Recycle Bin is Enabled

You can quickly check with PowerShell if Active Directory Recycle Bin is enabled in your environment by typing the command below.

Get-ADOptionalFeature -Filter 'Name -eq "Recycle Bin Feature"'

In the example below EnabledScopes is empty, which means Active Directory Recycle Bin has not been configured yet for this domain.

You can also find the status of the Active Directory Recycle Bin in the Active Directory Administrative Center. Open the Active Directory Administrative Center, select your domain and in the right menu you will see a button called “Enable Recycle Bin”. If this button is greyed out like the picture below, Active Directory Recycle Bin is already enabled.

How to Enable Active Directory Recycle Bin

Using the Windows GUI you enable the Active Directory Recycle Bin from the Active Directory Administrative Center. You can access the Active Directory Administrative Center from either Server Manager or administrative tools Found in the control panel.

Open System Manager, Click Tools and select Active Directory Administrative Center from the drop-down…

Or just open Control Panel, select Administrative tools and you should see Active Directory Administrative Center at the top of the list.

Once the Administrative Centre is open, Select your domain name in the left-hand menu under overview. You will then see the button Enable Recycle Bin in the right-hand tasks menu.

Click Enable Recycle Bin. You will receive a warning message that explains once the Active Directory Recycle Bin is enabled it can not be disabled. Click OK to continue.

Click Ok to continue past the next message. This Just explains that you will need to refresh the Active Directory Administrative Center to see the Active Directory Recycle Bin enabled. However, you may have to wait for replication to complete before Active Directory Recycle Bin can be used.

Back in the Active Directory Administrative Center, click the refresh icon in the top right corner. Notice the Enabled Recycle Bin will now be greyed out.

How To Restore an object from Active Directory Recycle Bin

Restoring Objects from the Active Directory Recycle Bin is simple but let’s first set the scene. You inadvertently deleted an important user from Active Directory.

Ok so lets set the scene you have inadvertently deleted an important user from your Active Directory!.

Open Active Directory Administrative Center and select your domain in the left-hand menu and double-click Deleted Objects.

In deleted objects, you will see everything that has recently been deleted. Select the user you want to restore and click the restore button in the right-hand tasks menu.

As soon as you click the restore button the user disappears from deleted objects and magically appears back in the same OU they were deleted originally from.

Active Directory Recycle Bin Restore Options

There are 4 options for restoring objects from the Active Directory Recycle Bin these are …

  • Restore – As shown above this restores the deleted object to the exact same location where it was originally deleted from.
  • Restore To – This allows you to restore the deleted object to a different OU or location.
  • Locate Parent – Displays the container where the deleted object was present before it was deleted.
  • Properties – Displays the properties of the selected object like name, object, Class etc

Using Powershell to enable Active Directory Recycle Bin

Enabling the Active Directory Recycle bin with Powershell is even easier than enabling it through the Windows Gui. Open Powershell with administrative rights, and type the command below adding your domain as the target. 

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target <Your Domain Name>

As soon as you hit enter on the command you will receive a warning about the recycle Bin feature being irreversible. Hit Y and enter to confirm you want to install Active Directory Recycle Bin anyway.

And that’s it, To confirm that the Active Directory Recycle bin is enabled run the command below. You should notice there is now an enabled scope setup with your domain. This confirms the Active Directory Recycle Bin is configured. 

Get-ADoptionalFeature -filter 'Name' -eq "Recycle Bin feature"

Restore a user from Active Directory Recycle Bin With Powershell

Restoring a user from the Active Directory Recycle Bin is just a case of searching for the user with Get-ADObject and then adding the -Restore -ADObject tag to the end.

Let’s start by setting the scene again and deleting the Darth Vader user from Active Directory with the remove-aduser command below. When prompted to confirm you want to remove the user, hit Y and enter to confirm.

remove-aduser -Identity darth.vader

Use the Get-ADObject to check the user is deleted by running the below command. 

Get-ADObject -Filter {SamAccountName -eq 'darth.vader'} -IncludeDeletedObjects

Get-ADObject can be used to search for any user within Active Directory. However, adding the IncludeDeletedObjects tag at the end of the command also searches for objects in the Active Directory Recycle Bin. Notice that the Darth Vader account now states Deleted: True

To restore the user, re-run the same Get-AdObject command but this time pipe this to Restore-AdObject as below.

Get-ADObject -Filter {SamAccountName -eq 'darth.vader'} -IncludeDeletedObjects | Restore-ADObject

re-run the first Get-ADObject command again without piping the command to Restore-Adobject and you should see, Deleted is now blank meaning the user has been restored.

Why is AD Recycle Bin Not Enabled by Default?

The main reason Active Directory Recycle Bin is not enabled by default is that in order to install it, the Forest functional level needs to be raised to a minimum of Windows Server 2008 R2. If the Domain was originally created on Windows NT or Windows Server 2003 then you won’t be able to install the Active Directory Recycle Bin until the Domain functional level is raised.

Most of the time you are going to want to enable AD Recycle Bin in your environment and it will be totally safe to do so. However, there are definitely some secure sites out there where you will want to make sure users are not so easily recoverable after they have been removed.

Also, it’s worth noting that when you enable Active Directory Recycle Bin all of the objects that were deleted before it is enabled become recycled objects and cannot be recovered using Any mechanism other than a full forest-level recovery of the domain…

Have you ever had any problems restoring a user? or maybe I’ve missed something in this tutorial. Let me know your experiences with AD Recycle Bin in the comments below.

Hemp

IT and security Expert with 20+ Years of Experience. _______________________________________________________ With over two decades of experience in the dynamic field of Information Technology and security, I have honed my skills to become a leading expert in safeguarding digital landscapes. My passion for technology and an unquenchable thirst for knowledge have driven me to stay at the forefront of the ever-evolving IT industry.

You May Also Like

Restrict RDP Access by IP Address with Windows Firewall

Installing Linux Mint In VirtualBox

Demystifying Managed (MSA) and Group Managed Service Accounts (gMSA)

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top