Active Directory Recycle Bin

Active Directory Recycle Bin is a new tool in Windows 2008 R2. This Active Directory Tool will preserve and recover accidentally deleted Active Directory objects. Restoring deleted objects before Windows 2008 R2 was not a simple process. The process would require a restore from backing using the ntdsutil authoritative restore command. A big limitation to this was you could only restore the objects to the point of your last backup. In Windows 2003 and Window 2008 you could also recover deleted Active Directory objects through tombstone reanimation. The problem with this is that some of the objects attributes where cleared (for example, group memberships of user account). Active Directory Recycle Bin in Windows 2008 R2 helps administrators restore accidentally deleted Active Directory objects without restoring Active Directory data from backups.

By default Active Directory Recycle bin is disabled in Windows 2008 R2. To enable it you will need to raise the forest functional level of your AD DS. This will require all domain controllers in the forest to be running Windows Server 2008 R2. Once the Active Directory recycle bin is enabled and an object is deleted, the deleted object is moved to the deleted object container. By default these deleted objects are kept in the recycle bin for 180 days. For a complete overview of Active Directory Recycle bin check out Microsoft’s document on what’s new in AD DS

Restoring the Active Directory deleted objects is done through command line. For complete documentation on restoring objects using the Active Directory recycle bin see this Microsoft document Restoring a Deleted Active Directory Object.

There is a GUI option as well. This is not a Microsoft product but looks like a good solution. Its called ADRecyleBin and allows administrators to quickly restore deleted Active Directory objects via an easy to use GUI (graphical user interface). You can find details on the tool and a link to download it here.