Enable and configure Active Directory Recycle Bin to recover deleted AD objects without backups. Learn both PowerShell and GUI methods with verification steps.
Emanuel DE ALMEIDAThe Active Directory Recycle Bin is a critical feature that allows administrators to recover accidentally deleted AD objects — such as users, groups, and OUs — without requiring a full backup restoration or authoritative restore procedure.
This tutorial covers both PowerShell and GUI-based methods to enable and configure the AD Recycle Bin on Windows Server 2022, including prerequisite verification, activation steps, and how to restore deleted objects once the feature is enabled.
Before enabling the Recycle Bin, check your forest meets the minimum requirements. Open an elevated PowerShell session and verify your forest functional level.
Import-Module ActiveDirectory
Get-ADForest | Format-List FunctionalLevelThe output should show Windows2008R2Forest or higher. If it shows Windows2008Forest or lower, you'll need to raise the functional level first.
Next, verify your schema version meets requirements:
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersionThe objectVersion should be 47 or higher. Also check that all domain controllers are replicating properly:
repadmin /showreplThe GUI method is straightforward and provides visual confirmation. Open Server Manager and navigate to Tools > Active Directory Administrative Center, or run dsac.exe from an elevated command prompt.
In ADAC, select your domain from the left navigation pane. If your domain isn't visible, click Manage > Add Navigation Nodes and add your domain.
In the Tasks pane on the right, click Enable Recycle Bin. You'll see a warning dialog explaining that this action is irreversible and will delete existing tombstone objects. Click OK to proceed.
A second dialog will appear asking you to refresh the Administrative Center. Click OK and then press F5 or click the refresh icon.
Verification: After refreshing, the "Enable Recycle Bin" option should be grayed out, and you should see a new "Deleted Objects" container in your domain navigation.
For automation or when GUI access isn't available, use PowerShell. First, get your forest root domain name and distinguished name:
$ForestDN = (Get-ADRootDSE).rootDomainNamingContext
$ForestName = (Get-ADForest).Name
Write-Host "Forest DN: $ForestDN"
Write-Host "Forest Name: $ForestName"Now enable the Recycle Bin feature using the Enable-ADOptionalFeature cmdlet:
Enable-ADOptionalFeature -Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Services,CN=Configuration,$ForestDN" -Scope ForestOrConfigurationSet -Target $ForestNameWhen prompted, type Y and press Enter to confirm the irreversible operation.
Verification: Check that the feature is enabled:
Get-ADOptionalFeature -Filter 'Name -eq "Recycle Bin Feature"' | Format-List Name,EnabledScopesThe EnabledScopes should show your forest DN, confirming successful activation.
By default, deleted objects remain in the Recycle Bin for 180 days (deletedObjectLifetime). You can modify this value based on your organization's needs. Check the current setting:
Get-ADObject "CN=Directory Service,CN=Services,CN=Configuration,$((Get-ADRootDSE).configurationNamingContext)" -Properties deletedObjectLifetime | Format-List deletedObjectLifetimeIf the value is <not set>, it defaults to 180 days. To modify it (for example, to 365 days):
Set-ADObject "CN=Directory Service,CN=Services,CN=Configuration,$((Get-ADRootDSE).configurationNamingContext)" -Replace @{deletedObjectLifetime=365}Also check the tombstone lifetime, which determines when objects are permanently purged:
Get-ADObject "CN=Directory Service,CN=Services,CN=Configuration,$((Get-ADRootDSE).configurationNamingContext)" -Properties tombstoneLifetime | Format-List tombstoneLifetimeThe tombstone lifetime should be longer than the deleted object lifetime to ensure proper cleanup.
Create a test organizational unit to verify the Recycle Bin functionality. In ADAC, right-click your domain and select New > Organizational Unit. Name it "Test-RecycleBin-OU".
After creating the OU, right-click it and select Delete. Confirm the deletion when prompted.
Now navigate to the Deleted Objects container in ADAC. You should see your deleted OU listed with a red X icon and additional attributes showing when it was deleted.
To restore the object, right-click the deleted OU and select Restore. The object will be restored to its original location. Alternatively, select "Restore To" to choose a different parent container.
Verification: Navigate back to your domain root and confirm the OU has been restored with all its original properties intact.
Clean up by deleting the test OU again (you can leave it in Deleted Objects for future testing).
PowerShell provides more flexibility for bulk operations and scripting. To view all deleted objects in your domain:
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties Name,Deleted,LastKnownParent | Format-Table Name,Deleted,LastKnownParent -AutoSizeTo restore a specific object by name (replace "Test-RecycleBin-OU" with your object name):
Get-ADObject -Filter 'isDeleted -eq $true -and Name -eq "Test-RecycleBin-OU"' -IncludeDeletedObjects | Restore-ADObjectFor more complex scenarios, you can restore objects to different locations:
$DeletedObject = Get-ADObject -Filter 'isDeleted -eq $true -and Name -eq "Test-RecycleBin-OU"' -IncludeDeletedObjects
Restore-ADObject -Identity $DeletedObject -TargetPath "OU=Restored,DC=yourdomain,DC=com"To restore all objects deleted within the last 24 hours:
$Yesterday = (Get-Date).AddDays(-1)
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties Deleted | Where-Object {$_.Deleted -gt $Yesterday} | Restore-ADObjectVerification: Use Get-ADObject without the -IncludeDeletedObjects parameter to confirm restored objects are visible in normal AD queries.
Regular monitoring ensures the Recycle Bin functions properly and doesn't consume excessive space. Create a monitoring script to check deleted objects count and age:
$DeletedObjects = Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties Name,Deleted,objectClass
$TotalCount = $DeletedObjects.Count
$OldObjects = $DeletedObjects | Where-Object {$_.Deleted -lt (Get-Date).AddDays(-150)}
Write-Host "Total deleted objects: $TotalCount"
Write-Host "Objects older than 150 days: $($OldObjects.Count)"
# Group by object type
$DeletedObjects | Group-Object objectClass | Sort-Object Count -Descending | Format-Table Name,CountSet up a scheduled task to run this script weekly and alert administrators if the count grows unexpectedly large.
Monitor replication health to ensure deleted objects replicate properly across all domain controllers:
repadmin /replsummaryCheck for any replication errors that might affect Recycle Bin functionality:
repadmin /showrepl * /errorsonlyWhile the Recycle Bin provides excellent protection against accidental deletions, maintain a comprehensive backup strategy. The Recycle Bin doesn't protect against:
Configure Windows Server Backup to create regular system state backups:
wbadmin start systemstatebackup -backupTarget:E: -quietDocument your recovery procedures and train your team on both Recycle Bin recovery and authoritative restore procedures. Create a recovery runbook that includes:
Test your recovery procedures quarterly by deliberately deleting test objects and recovering them using both GUI and PowerShell methods.
Verification: Ensure your backup strategy covers both Recycle Bin recovery and traditional authoritative restore scenarios. Test restore procedures in a lab environment before implementing in production.
Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.
Deepen your knowledge with related resources
Share your thoughts and insights
You must be logged in to comment.
