Active DirectoryMicrosoft TechnologiesWindows Server

Active Directory Recycle Bin

 What will happen if you have deleted the wrong user account? Or any other AD object? In your AD environment. “Recovery” is the answer but issue is how fast and how easy you can do it.

Once active directory object is deleted, it is automatically goes in to the deleted object container in the AD. Then during the active directory garbage collection process it will clean up these deleted AD objects permanently. By default this process is occurs in every 12 hours. So if need to recover a deleted object (unless you use an active directory backup) it is possible to do before the garbage collection process occurs in AD using LPD.exe tool. But the issue is even you can recover the object along with metadata it will lose its some attributes such as group membership.

Microsoft has come with a feature to answer this. It starts with windows server 2008 R2 and called as “Active Directory Recycle Bin”. This feature is exactly work as “Recycle Bin” in windows operating system. You can use this to undelete any deleted AD objects. More importantly you can restore it with few clicks along with all the attributes. By default AD recycle bin holds deleted objects for 180 days before permanently remove from the system.

This feature is need to be enabled manually in active directory. To use this feature the domain forest functional level at least need to be set to windows server 2008 R2.  Also you need to manually enable this feature and once this feature is enabled you can’t disable it.

Let’s see how we can do this. In my demo I am using active directory runs on windows server 2012 R2.

1)    Log in to the Domain Controller as member of domain admin group or enterprise admin group.
2)    Then Server Manager > Tools >  Active Directory Administrative Center

re1

3)    It will open Active Directory Administrative Center mmc and click on the domain name

re2

4)    Then under Tasks panel click on “Enable Recycle Bin

re3

5)    Once click on it, it will open up pop up saying to confirm the action. As I mentioned earlier once this feature is enable you can’t disable it.

re4

6)    Then it will give info window about the function and the replication. Click ok to exit form window.

re5

It will take some time to replicate across the domain controller in the forest. After replication it’s time to test the functions and see how the restore process works.

For my demo I am using a user account called “User A” and he is member of Gorup_A and Group_B as well. I am going to delete the user and recover it using the AD recycle bin feature.

re6

re7

 

To recover the object

1)    Go to Server Manager > Tools > Active Directory Administrative Center
2)    Then click on domain name and the arrow in front. Then click on option “Deleted Objects

re8

3)    Then it will show the objects captured by the AD recycle bin feature. In here we can see the UserA account I have just deleted.

re9

4)    To restore the object, right click on object and select “Restore”. This will restore it to original location it was. If you need you also can select which container it should restore to using “restore to” option.

re10

5)    Now in AD I can see the restored object along with its attributes.

re11

So as you can see it was very fast and effective solution. This is the end of this article and if you have any questions feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *