Active Directory Recycle Bin in Windows 2012 R2

One of my client would like to understand more on the Active Directory Recycle Bin in Windows 2012 R2, and I had done some study on my lab on this topic

Summary of Study Notes 

  1. Forest Functional Level is Windows 2008 R2 and above
  2. Default Tombstone lifetime / Deleted Object lifetime (msDS-deletedObjectLifetime) was 180 days  for deleted objects
  3. Restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains
  4. A deleted object is moved to the Deleted Objects container, with its distinguished name mangled.
  5. After the deleted object lifetime expires, the logically deleted object is turned into a recycled object and most of its attributes are stripped away. A “recycled object,” which is a new state in Windows Server 2008 R2, remains in the Deleted Objects container until its recycled object lifetime expires. After the recycled object lifetime expires, the garbage-collection process physically deletes the recycled Active Directory object from the database.
  6. A recycled object cannot be recovered
  7. Do not recommend that you use Active Directory Recycle Bin to restore Exchange configuration objects that were accidentally deleted with Exchange administrative tools. Instead, the recommended approach is to re-create these objects by using the supported Exchange administrative tool
#Check TimeStone in Windows 2012R2 - Default is 180 Days
 $ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext
 $DirectoryServicesConfigPartition = Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Properties *
 $TombstoneLifetime = $DirectoryServicesConfigPartition.tombstoneLifetime

Write-host -ForegroundColor Green “Active Directory’s Tombstone Lifetime is set to $TombstoneLifetime days“

Steps to Enable AD Recycle Bin 

#Windows 2012 R2 AD Recycle Bin
 Import-Module ActiveDirectory
 Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=MonsterBean,DC=com’ `
 –Scope ForestOrConfigurationSet –Target ‘MonsterBean.com’
 <#
 WARNING: Enabling 'Recycle Bin Feature' on 'CN=Partitions,CN=Configuration,DC=MonsterBean,DC=com' is an irreversible action!
 You will not be able to disable 'Recycle Bin Feature' on 'CN=Partitions,CN=Conf
 iguration,DC=MonsterBean,DC=com' if you proceed. #>

#Search for the AD objects , and restore it
 Get-ADObject -SearchBase "CN=Deleted Objects,DC=MonsterBean,DC=com" -Filter {Name -like "*wong king*"} -IncludeDeletedObject | Restore-ADObject

Updated

If you prefer for GUI, There is a GUI for Active Directory Recycle Bin in Windows 2012 R2

AD-RecycleBin-01

AD-RecycleBin-02

 

Reference

  1. https://technet.microsoft.com/en-us/library/dd379542(v=ws.10).aspx