Listen, we are all about future you here. Anything that you do now should make future work easier. If you are managing an Active Directory environment, double check that the AD recycle bin is enabled before you need to restore an object in AD. To check this, fire up a PowerShell session and run:
Get-ADOptionalFeature -Filter *
This cmdlet does require the Active Directory module that is installed as a part of RSAT. You should see the Recycle Bin feature listed near the top with items listed in the EnabledScopes member. In the screenshot below, the AD Recycle Bin is not enabled and this admin is one deletion away from a resume update.
If you see the Recycle Bin feature with objects listed next to EnabledScopes and are comfortable with restoring objects, you are golden. You may continue here to learn something random. Else, continue on.
How to Enable the Active Directory Recycle Bin
Start PowerShell with an enterprise administrator account on the domain controller holding the domain naming master role. Running netdom query fsmo will show you which DC this is. Run the following in that PowerShell prompt:
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=TEST,DC=local' –Scope ForestOrConfigurationSet –Target 'TEST.local'
You can then rerun the Get-ADOptionalFeature -Filter * command to check that EnabledScopes member is populated. It should now look similar to this:
Your domain and forest level do need to be at 2008R2 or above to enable the AD Recycle Bin. You can raise those levels with the Set-ADDomainMode and Set-ADForestMode cmdlets. Contrary to popular belief, raising the domain or forest level isn’t a big deal – just read this overview from Microsoft if the process makes you nervous.
Joseph Aside: I still get nervous every time I raise the level in a production environment even though I know nothing will break.
How to Recover Objects with the Active Directory Recycle Bin
Go ahead and create a new object in AD (or use one of your disabled stale objects). Now delete it!! Fun, right? Don’t get too excited as we are bringing that sucker back.
To restore the object, you can use the Get-ADObject cmdlet with the -includeDeletedObjects parameter and pass that information to the Restore-ADObject cmdlet. The easier way is to just launch the Active Directory Administrative Center on a 2012R2/Windows 8.1+ machine. Navigate to the Deleted Objects container under your domain. Close ADAC and reopen it if you don’t see it at first.
Find your object in the container and right click on it to Restore. The last known parent column will show you where the object will be placed.
Time for a trust building exercise with Active Directory. Find your domain controllers OU and … kidding… kidding… Besides, you protect all of your important objects with the Accidental Deletion flag, right?
Has saved my bacon. Will save your restore steps. My old method used adsi edit and was less than user friendly. Thanks!
Not a problem! Glad it helped!