Windows 2008R2 features part II: Recycle Bin

Windows 2008 R2 Active Directory introduces the Recycle Bin option. If you deployed Windows 2008 R2 or upgraded your domain to the Windows 2008 R2 schema and you think the recycle bin is active, you are wrong. You have to specifically enable the recycle bin feature.

So upgrade your forestlevel and run the following command within a poweshell console:

Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=DirectoryService,CN=Windows NT,CN=Services,CN=Configuration,DC=rootdomain,dc=local’

 -Scope Forest -Target ‘rootdomain.local’


Note: Indeed the above command is a powershell command, also a new feature in Windows 2008 R2, Active Directory powershell.  




So what does the above mentioned command do: If you delete an object from this point onwards the object does not get tombstoned and stripped from most attributes but it will be transformed to a recycled-object. Link valued attributes are maintained both from and to the deleted object. This was not possible in the previous versions of the schema.

 So we have a user with several attributes setup, called John Doe:



He has several options set, like streetaddress, loginscript etc. He is also a member of the group Group1. And now we delete the user from the ADUC command console.


If we want to look at the deleted object the old way of searching for it does not work anymore ( . Instead there is a hidden container called: CN=Deleted Objects, DC=<domain>.

We can retrieve this container using ldp.exe. Start LDP.exe and create a connection to the AD server. Bind using current credentials and select Options and select Controls. In the load predefined option select Return Recycled Objects. Then select view tree. Enter: CN=Deleted Objects,CN=<domain> and click OK.

 Now we see the deleted John Doe object and on the right the attributes that are usually deleted.

 rbin3There are multiple ways to restore the userobject. It is possible via the LDP console by removing the TRUE value of the isDeleted attribute (click modify on the object and select edit, in the attribute field type isDeleted, leave the value option empty and select Delete under Operation and hit enter. In the attribute field type distinguishedName and type the DN in the value field, under operation select Replace).

However you might find it easier to use the new poweshell commandlets, first to find the deleted object(s).

Get-AdObject –Filter {displayname –eq “John”} –IncludeDeletedObjects



To restore, simply pipe the above mentioned command to the restore command: Restore-ADObject

Get-AdObject –Filter {displayname –eq “John”} –IncludeDeletedObjects | RestoreADObject

Off course it is also possible to restore entire OU’s and the objects beneath it..



So many wonder how the group membership of users are restored during the reanimation (or restoring) of a recycle bin object.. (aswell as other backlinks).. It seems the backlinks are not deleted as they normally would have been. Although the forward link (Group Member) is deleted, the memberOf attribute (back-ward link) is not. Or in Microsoft terms:

We simply added a taxonomy to the link table which gives us the ability to preserve the link data while deactivating the link when an object is deleted.

To view the MemberOf of a deleted object you can use a powershell commandlet that Ned Pyle gave to me:

PS C:> get-adobject -filter {lastknownparent -eq “ou=recycletest,dc=adatum,dc=com”} -searchbase “cn=deleted objects,dc

adatum,dc=com” -includedeletedobjects -properties *



userPrincipalName               :

CanonicalName                   : Objects/whoops


Created                         : 1/28/2009 8:57:58 AM

codePage                        : 0

modifyTimeStamp                 : 1/28/2009 10:27:59 AM

instanceType                    : 4

pwdLastSet                      : 128776246785482438

Description                     :

lastLogoff                      : 0

givenName                       : whoops

badPwdCount                     : 0

userAccountControl              : 66048

whenCreated                     : 1/28/2009 8:57:58 AM

lastLogon                       : 0

Name                            : whoops


ObjectClass                     : user

accountExpires                  : 9223372036854775807

badPasswordTime                 : 0

isDeleted                       : True

sAMAccountName                  : whoops

DisplayName                     : whoops

DistinguishedName               : CN=whoopsADEL:2563a106-b3ef-4338-b0ec-ead7cac88178,CN=Deleted Objects,DC=adatum,DC=


uSNCreated                      : 63465

ObjectCategory                  :

Modified                        : 1/28/2009 10:27:59 AM

adminCount                      : 1

sDRightsEffective               : 15

dSCorePropagationData           : {1/28/2009 9:51:53 AM, 1/28/2009 9:14:02 AM, 12/31/1600 7:00:00 PM}

objectSid                       : S-1-5-21-3745455507-831683003-5792042-1129

countryCode                     : 0

nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity

ObjectGUID                      : 2563a106-b3ef-4338-b0ec-ead7cac88178

Deleted                         : True

logonCount                      : 0

CN                              : whoops


LastKnownParent                 : OU=recycletest,DC=adatum,DC=com

ProtectedFromAccidentalDeletion : False

whenChanged                     : 1/28/2009 10:27:59 AM

createTimeStamp                 : 1/28/2009 8:57:58 AM

primaryGroupID                  : 513

msDS-LastKnownRDN               : whoops

memberOf                        : {CN=Domain Admins,CN=Users,DC=adatum,DC=com}

uSNChanged                      : 63535




For more information on deleted objects and restoring them you can go see Jorge’s presentation: