What the Active Directory Recycle Bin Does Not Do

The new Active Directory Recycle Bin has a somewhat misleading name. Its not like the Windows Explorer Recycle Bin, and there are some things to consider before using this new feature.

As you may know, when you delete an object, like a user, from AD it is not deleted but rather marked with a “tombstone” flag. Deleted, or tombstone objects, stay in AD for 180 days. When it sets a tombstone flag, AD also deletes most of the object’s attributes, so restoring a deleted object is complicated because you have to remove the tombstone and then re-populate all the objects attribute information.

All the new Recycle Bin feature does is to not delete an object’s attributes. This makes it easier to re-animate an object because you only have to remove its tombstone flag. However, there is no built-in GUI interface to help you re-animate a deleted object, only low-level tools like ADSIEdit, and scripts.

As stated in this Microsoft TechNet article, the Recycle Bin is disabled by default. To enable it, you must first raise the forest functional level of your AD environment to Windows Server 2008 R2, which requires all domain controllers to be running Windows Server 2008 R2.

Besides not having an easy-to-use graphical user interface, other recovery features that the AD Recycle Bin does not support include:

  1. Allowing you restore a changed object, rather than just a deleted object.
  2. Let you restore a GPO.
  3. Let you restore many objects, or even an entire directory at once.

I think the AD Recycle Bin is a nice feature, but there is still a need for full-featured AD recovery tools. I will be reviewing full-featured AD recovery tools in later posts. You may also want to explore the free PowerGUI tool which provides a GUI for the AD Recycle Bin.

The Active Directory Recycle Bin PowerPack For PowerGUI


Tags:

This entry was posted on August 23rd, 2009 and is filed under Disaster recovery. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.

 
« Maxpowersoft vs. Jiji Active Directory Reports
How to export data from Active Directory using the free PowerGUI tool »
 
 

One Response to “What the Active Directory Recycle Bin Does Not Do”

  1. Gravatar of Jed Jed
    8. August 2011 at 14:22

    Also worth noting that once the recycle bin is turned on, it cannot be turned off! Not good for businesses and governments where security and compliance regs don’t permit retention of personally identifiable info! There are some good free utilities out there, like netwrix ad object restore wizard or quest object restore for AD that can be used instead.

Leave a Reply