Ok, know that we have enabled AD Recycle bin, lest see how to test its functionality. We will create, delete and then recover one object from Active Directory database using Recycle Bin feature.
First of all, open Active Directory Users and Computers (ADUC) console, and create one user account in Users container, name it Test Delete.
- Start ldp.exe from Run command on Start Menu
- Under Connections, select Bind, select Bind with credentials and enter them, click OK
- Select View – Tree
- In drop down menu select top level domain
There should be container named CN=Deleted Objects,DC=yoursecondleveldomain,DC=yourfirstleveldomain. If you double click on it you will notice that is is empty.
Go back to ADUC console and delete Test Delete user account. Reopen ldp.exe console and double click on container named CN=Deleted Objects,DC=yoursecondleveldomain,DC=yourfirstleveldomain. You should see one deleted object in it.
Refresh your ADUC console to make sure that object is deleted. Lets recover this user account. Open ldp.exe console and follow this procedure:
- Right click on object that you want to restore, select Modify
- In the Edit Entry Attribute type isDeleted
- Under Operations select Delete and click Enter
- In the Edit Entry Attribute type distinguishedName
- In the values box type original DN of the object, in our case it is “CN=Test Deleted,CN=Users,DC=r2test,DC=local” (without quotation marks)
- Under Operations select Replace, make sure Extended check box is selected, click Enter
- Click Run
Go back to ADUC and refresh console. Test Deleted user should be visible now.
When recovering multiple objects you must first recover top most deleted parent object first and then you can recover child objects. Recovery process can also be done using AD PowerShell 2.0 cmdlets such as Get-ADObject and Restore-ADObject. Default period for keeping deleted objects in AD database is 180 days, but it can be changed to more or less.