Windows Server 2008 R2 AD Recycle Bin (Part 2)

by Marin Franković on 28 April, 2009

Ok, know that we have enabled AD Recycle bin, lest see how to test its functionality. We will create, delete and then recover one object from Active Directory database using Recycle Bin feature.

First of all, open Active Directory Users and Computers (ADUC) console, and create one user account in Users container, name it Test Delete.

  • Start ldp.exe from Run command on Start Menu
  • Under Connections, select Bind, select Bind with credentials and enter them, click OK
  • Select View – Tree
  • In drop down menu select top level domain

There should be container named CN=Deleted Objects,DC=yoursecondleveldomain,DC=yourfirstleveldomain. If you double click on it you will notice that is is empty.

Ldp.exe view on a domain r2test.local


Go back to ADUC console and delete Test Delete user account. Reopen ldp.exe console and double click on container named CN=Deleted Objects,DC=yoursecondleveldomain,DC=yourfirstleveldomain. You should see one deleted object in it.

Deleted object as seen in ldp.exe

Refresh your ADUC console to make sure that object is deleted. Lets recover this user account. Open ldp.exe console and follow this procedure:

  • Right click on object that you want to restore, select Modify
  • In the Edit Entry Attribute type isDeleted
  • Under Operations select Delete and click Enter
  • In the Edit Entry Attribute type distinguishedName
  • In the values box type original DN of the object, in our case it is “CN=Test Deleted,CN=Users,DC=r2test,DC=local” (without quotation marks)
  • Under Operations select Replace, make sure Extended check box is selected, click Enter
  • Click Run

Fill in the blanks

Go back to ADUC and refresh console. Test Deleted user should be visible now.

Recovered object

When recovering multiple objects you must first recover top most deleted parent object first and then you can recover child objects. Recovery process can also be done using AD PowerShell 2.0 cmdlets such as Get-ADObject and Restore-ADObject. Default period for keeping deleted objects in AD database is 180 days, but it can be changed to more or less.


{ 0 comments… add one now }

Leave a Reply

Previous post:

Next post: