PowerShell Enable Active Directory Recycle Bin

PowerShell Enable Active Directory Recycle Bin, work in Windows Server 2012/2012R2/2016/2019.

1. Enabling Recycle Bin (Windows Server 2008 R2):

To enable recycle bin:

• Open Powershell on the PDC (Primary Domain Controller).

NOTE: To confirm which server is the primary DC, run the below command:

Get-ADForest | fl

• Make sure that the server you are using is the SchemaMaster or else the command will not work. Check that the ForestMode shows up as Windows2008R2Forest. If not, run Import-Module ActiveDirectory, then run the following command:

Set-ADForestMode –Identity <yourdomainname> -ForestMode Windows2008R2Forest

• enable it using Active Directory Domains and Trusts by right-clicking on the top-level item and selecting Raise forest functional level. Please note that this option needs replication if one or more DCs exist, therefore running the PowerShell command yields faster results.
• Once enabled run the following command in PowerShell:

Enable-ADOptionalFeature –Identity 'CN=Recycle Bin 
Feature,CN=Optional Features,CN=Directory Service,CN=Windows 
NT,CN=Services,CN=Configuration,DC=domain' –Scope 
ForestOrConfigurationSet –Target '<yourdomainname>'

By default, the deleted object lifetime and tombstone lifetime in AD is set to 60 days. If this is not enough, you can modify the value by running the below commands (the below example sets them to 1 year):

Set-ADObject -Identity “CN=Directory Service,CN=Windows  NT,CN=Services,CN=Configuration,DC=domain” –Partition  "CN=Configuration,DC=contoso,DC=com" –Replace:@{"tombstoneLifetime" =  365} 
Set-ADObject -Identity "CN=Directory Service,CN=Windows  NT,CN=Services,CN=Configuration,DC=domain" –Partition  "CN=Configuration,DC=domain"  –Replace:@{"msDS-DeletedObjectLifetime" = 365}

2. How to restore an object:

First, search for the object using one of the following commands using PowerShell. Don’t forget to run the command:

Import-Module ActiveDirectory

Search for all objects:

get-adobject -filter 'IsDeleted -eq $True' -IncludeDeletedObjects 
-properties IsDeleted,LastKnownParent | Format-List 
Name,IsDeleted,LastKnownParent,DistinguishedName

Search for a particular user:

Get-ADObject -Filter {displayName -eq "Name"} -IncludeDeletedObjects

(where Name is the display name of the user)

Once the user or object is found, restore it using the following command:

Get-ADObject -Filter {displayName -eq "Name"} -IncludeDeletedObjects | Restore-ADObject

This will restore it to its last OU location

3. Enabling Recycle Bin (Windows Server 2012/2012R2/2016/2019)

In this version enabled by default. Confirm that the forest functional level is at least Windows2008R2. Once completed:

• Open Active Directory Administrative Center
• Right-click on the domain name and select Enable Active Directory Recycle Bin
• Being that this option changes the collection structure for AD, a prompt will show that this action is irreversible. Press Ok
• Wait for the change to apply
• Done

4. How to restore an object (Windows Server 2012/2012R2/2016/2019):

• To restore an object:
• Open Active Directory Administrative Center;
• Click on the domain name folder and open the Deleted Objects folder from the list;
• Find the object and select Restore. This will automatically restore it to the location from where the object was deleted;
• To restore the object in another folder or OU, select Restore To;
• Done