Ever have gut-clenching moments when you realize you deleted the wrong object in Active Directory? Maybe you keep a bottle of antacid in your desk drawer for exactly that reason. Well not anymore. Let’s talk about a wonderful feature in Active Directory implemented back in the 2008 version of Active Directory. It’s called the ‘Recycle Bin’. NOTE: Before going forward you should educate yourself on best practices surrounding the AD Recycle Bin. This guide is not designed to cover all the nuances of the Recycle Bin but the basic steps in enabling it and recovering an object.
SH*T I DELETED THE NEW SERVER COMPUTER OBJECT NOT THE ONE IM DECOMMISSIONING!
The first step is do not get in this situation in the first place and always double or triple check what you are deleting. The second step is enabling the Active Directory Recycle Bin. Unfortunately, this won’t help you if you’ve already deleted something you shouldn’t have, but it might save you in the future. Don’t ask me why but for some reason it’s STILL not the default in Active Directory 2016 and you have to enable it.
So, how do we enable the Active Directory Recycle Bin you ask? So easy I’m going to show you two ways to do it! The first method is the KISS method or Keep it Simple Stupid way. The second is the more manly, POWERSHELL FOR PRESIDENT option.
From either a domain controller or a device with the RSAT active directory tools installed we are going to crack open the ‘Active Directory Administrative Center’. Our Primary example server is going to be a 2016 Domain Controller today. Don’t judge me for using desktop experience. Start – ‘Windows Administrative Tools – Active Directory Administrative Center’.
If you haven’t used the Administrative Center before it’s neat, think of it as a slightly ‘fancier’ version of Active Directory Users and Computers, kinda how Server Manager is for Computer Management. You know, prettier but not nearly as intuitive.
Next, we want to select the Domain we are going to work with in this example; hint, it’s the ‘PROBRES’ Domain.
Once you select your domain, on the right hand side you’ll notice a little option under the ‘tasks’ pane. It’s conspicuously named ‘Enable Recyle Bin’. If you click it you’ll be greeted by this grumpy little box.
If you are sure, and have read up and created appropriate best practices in your organization around the Recycle Bin, go ahead and happily click that ‘OK’ button. If you have not, well I suggest you do that first, and file a change control while you’re at it be a good admin or something. Once you click OK don’t panic you are going to get another grumpy pop up it’s fine it just wants you to click the refresh button.
That’s it you’re done. HOORAY! Objects are now restorable from the Active Directory recycle bin. Now just to prove the naysayers, let’s show us why we even bothered doing this. I’ve got this lonely file server that holds onto some ISOS and other stuff in my test environment.
One day I was sitting at my desk and Penny, (One of my four legged furry pups) accidentally hit my elbow and horror of horrors, I somehow deleted the AD object for my file server! Oh, noes!
Don’t ask me how her elbowing caused me also to hit the prompt that comes up. Maybe it was PowerShell and there was no prompt you don’t know.
OK, Seriously it’s pretty hard to delete a server object accidentally these days.
PENNY NO WHAT HAVE YOU DONE!
Nobody panic it will be OK. We are going to go open up our friend ‘Active Directory Administrative Center and navigate back to Probres(Local) and make our way to the ‘Deleted Objects’ container.
If we double click on we find our loyal friend the file server!
A simple right click ‘Restore’ will send him to his proper home in the ‘SERVERS’ OU. A quick jump back to login in and woot! He’s A-OK.
So that was enabling it through the GUI. But I promised to show you the manlier way as well with PowerShell too. So here goes, I’ve got another test domain where my configuration manager stuff lives that I might as well enable it on. Open a PowerShell window as an administrator import the AD module, and use the below to craft a string for your environment.
Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features, CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Byteknight,DC=LOCAL’ -Scope ForestOrConfigurationSet -Target ‘Byteknight.Local’
Simple right? Just replace it with your domain information instead of mine and away you go. Cheers and may this reduce the amount of antacids in your desk.