Accidentally deleting a user or group in Active Directory (AD) used to be a nerve-wracking mistake. Without backups or complicated authoritative restores, retrieving deleted objects was complex and time-consuming.
Fortunately, Active Directory Recycle Bin simplifies recovery by allowing admins to restore deleted objects with all attributes intact, without needing to reboot or use backup media.
In this guide, you’ll learn how to enable the AD Recycle Bin, what it does, how it works behind the scenes, and how to restore objects quickly using PowerShell or the Active Directory Administrative Center.
What is the Active Directory Recycle Bin?
The AD Recycle Bin is a feature introduced in Windows Server 2008 R2 that allows administrators to recover deleted objects (users, groups, OUs, etc.) with all their attributes preserved, including group memberships, access rights, and login settings.
Before this feature, deleted objects entered a “tombstoned” state with many attributes stripped, making recovery messy and error-prone.
Key Benefits
- No downtime or reboots required
- Full attribute recovery
- Faster restoration than from backups
- Works on users, computers, OUs, groups, etc.
- Integrates with Active Directory Administrative Center and PowerShell
Prerequisites
| Requirement | Details |
|---|---|
| Forest Functional Level | Windows Server 2008 R2 or higher |
| Permissions | Domain Admin or Enterprise Admin rights |
| Replication Awareness | All DCs must replicate the schema change |
| One-time Enablement | Once enabled, it cannot be disabled |
Step-by-Step Guide: How to Enable Active Directory Recycle Bin
Option 1: Enable via PowerShell
- Open PowerShell as Administrator on a domain controller.
- Run the following commands:
Import-Module ActiveDirectory
Get-ADOptionalFeature -Filter {name -like "Recycle Bin Feature"}
This shows the current status. If it’s Disabled, continue with the enablement.
- Enable it:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' `
-Scope ForestOrConfigurationSet `
-Target 'yourdomain.local'
Replace
yourdomain.localwith your actual domain name.
- Confirm:
Get-ADOptionalFeature -Filter {name -like "Recycle Bin Feature"}
If successful, the EnabledScopes property should list your forest.
Option 2: Enable via Active Directory Administrative Center (ADAC)
- Open ADAC from a domain controller (
Server Manager > Tools > Active Directory Administrative Center). - In the left panel, click on your domain name.
- In the Tasks pane, click “Enable Recycle Bin…”
- Confirm the action.
- A warning will appear indicating this is permanent and cannot be reversed.
- Click OK.
The change is replicated across the forest. You may need to refresh ADAC to see the “Deleted Objects” container.
How to Restore Deleted Objects
Once enabled, deleted objects are retained (with full metadata) in a hidden container called CN=Deleted Objects.
You can recover them using:
1. PowerShell
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects |
Where-Object {$_.Name -like "*username*"} |
Restore-ADObject
- Replace
*username*with the name of the deleted object.
2. AD Administrative Center
- Go to your domain in ADAC.
- Click “Deleted Objects” in the left panel.
- Right-click the object you want to restore.
- Click Restore or Restore To… to select a specific container.
Lifecycle of a Deleted Object
| Stage | Description |
|---|---|
| Live Object | Normal AD object with full attributes |
| Deleted Object | Moved to Deleted Objects container with full metadata |
| Recycled Object | After deletedObjectLifetime expires (default 180 days), becomes stripped |
| Purged | Eventually removed from AD database (tombstoned) |
You can customize the deleted object lifetime using:
Get-ADObject (Get-ADRootDSE).configurationNamingContext -SearchBase `
"CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=local" `
-Properties * | Select-Object tombstoneLifetime
Tips & Best Practices
- Enable early: You can’t restore anything deleted before it was enabled.
- Monitor object deletions: Use AD auditing or SIEM tools to watch for accidental or malicious deletions.
- Train helpdesk teams: Ensure L1/L2 support know how to recover objects without needing backups.
- Combine with backup: The Recycle Bin is not a replacement for full domain backups, just a first line of recovery.
Conclusion
The Active Directory Recycle Bin is a powerful feature that can save your IT team countless hours when user or object deletions occur. Easy to enable and use, it provides full restoration without the hassle of going to backups or dealing with stripped tombstoned objects.
If you haven’t enabled it yet—do it today. It’s one of the best low-effort, high-reward AD features for any domain administrator.
