A domain administrator can use the Active Directory Recycle Bin to recover any deleted Active Directory object (user, computer, AD security group, etc.). Windows Server 2008 R2 introduced the Active Directory Recycle Bin for the first time. You could only use the PowerShell cli to control the Recycle Bin and recover AD items in this version. The Active Directory Administrative Center GUI in Windows Server 2012 added the ability to manage the AD Recycle Bin and distant objects. We’ll teach you how to enable the AD Recycle Bin on Windows Server 2016 and restore a deleted user object in this article. In all versions of Windows Server, the AD Recycle Bin in the domain is disabled by default. The cmdlet from the Active Directory for Windows PowerShell module can be used to check the status of the Recycle Bin.
Get-ADOptionalFeature “Recycle Bin Feature” | select-object name, EnabledScopesIn our case, the EnabledScopes value is empty, which means that the AD Recycle Bin is not enabled.
All domain controllers must be running Windows Server 2008 R2 (or newer) to enable AD Recycle Bin, and the forest functional level must be set to Windows Server 2008 R2 or higher.
The following command can be used to determine the AD forest’s functioning level:
Get-ADForest | select-object ForestMode|fl
You must upgrade the forest functional level if the ForestMode level is lower than Windows2008R2Forest.
The following PowerShell command can be used to enable Active Directory Recycle Bin on Windows Server 2016:
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target solutionviews.comNote that enabling the AD Recycle Bin is permanent! It is not possible to turn it off after it has been turned on.
The Active Directory Administrative Center snap-in can also be used to enable the AD Recycle Bin.
To enable the recycle bin, open ADAC, right-click on the domain name, and select “Enable Recycle Bin.”
In the alert window, confirm that the AD Recycle Bin is enabled: “Enable Recycle Bin Confirmation.” Are you sure this is what you want to do? It’s impossible to turn off Recycle Bin once it’s turned on.”
A new Deleted Objects container will emerge when you enable the Active Directory Recycle Bin in the Active Directory Administrative Center. This container will be filled with all deleted Active Directory objects.
In this container, you will find all deleted AD objects; you can view their properties and restore them to their original OU destination or any other place.
Let’s delete the test user account and try to restore it.
Important! The AD Recycle Bin saves all relevant and unrelated characteristics of the AD item. This means you can restore an object with all of its characteristics intact.
The lifespan of an AD item that has been marked as logically removed is stored. This value is set by default in the msDS-DeletedObjectLifetime property in CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=solutionviews. In this example, the item is saved according to the tombstoneLifetime value (180 days by default).
To restore this AD userobject, right-click it and choose Restore or Restore to from the menu. You may also view deleted user properties from this page.
You can also find the deleted user and restore it from the AD Recycle Bin using PowerShell:
Get-ADObject -filter {displayname -eq "testuser1"} -Filter ‘isDeleted -eq $true’ –includedeletedobjects | Restore-ADObject