Question

How to enable the recycle bin of the Active Directory

Answer 1

Introduction

One of the new features of windows server 2012 is the integration of a graphic interface for the recycle bin of the active directory. This feature allows to restore accidentally or intentionally deleted objects from the active directory, whether they are users, groups or organizational units in a simple way.

The recycle bin of the active directory was already available in windows server 2008 R2 but lacked a graphical interface, which caused the task of restoring deleted objects to become a bit tedious.

To use this feature it is necessary to activate it, since by default it is disabled. Before activating it, it is necessary to consider that once enabled, we will not be able to disable it.

Activation

On a domain controller open the "active directory management center" and select the name of the forest. Then choose "enable the recycle bin" in the task pane on the right side.

Note: The "enable recycle bin" option will not be available if the active directory version is less than windows server 2008 R2 or if the recycle bin has been previously activated. To raise the level of forest operation it is necessary to use " cmdlet Set-ADForestMode " or it is also possible to use " Ldp.exe ". For more information on how to use " cmdlet Set-ADForestMode " you can use the command
Get-Help Enable-ADOptionalFeature in the active directory module for Windows PowerShell in windows server 2008 R2.

We must also take into account the warning displayed when activating the recycle bin, which will notify us that we must wait for the change to be replicated in all domain controllers in the forest. Replication will take a few minutes depending on the complexity of the active directory structure.

Use of recycling bin

Once the replication time has elapsed, it is recommended to close and reopen the "active directory administration center". Select the name of the forest and choose the "Deleted Objects" OU, in this OU all the deleted objects will be stored. To recover an object only it is necessary to enter "Deleted Objects" and use the restore option.

The recovered object will retain all of its original attributes. The active directory management center offers criteria and filtering options that allow you to restore certain objects.

Basic rules

The "active directory management center" can not restore a complete tree in a single action, if necessary the following rules should be considered:

• Restore the highest deleted object first in the hierarchy of the tree.
  
• Restore the immediate children of the parent object.
  
• Restore the immediate children of the primary objects.

Repeat as necessary, considering that a secondary object can not be restored before restoring its parent.

The objects deleted from the active directory have a default life of 180 days in the recycle bin, once this time has elapsed they are eliminated by the 'Garbage collector', which is automatically executed in the active directory every 12 hours. This parameter is modifiable in the attribute 'garbageCollPeriod' in the configuration object of the entire company DS (NTDS).

---