Windows Server 2008 R2 is adding to Active Directory's tools by providing a new AD Administrative Center, the AD Best Practices Analyzer, an AD module for PowerShell, and an AD Recycle Bin. I've covered the Recycle Bin in previous posts, but I recently had a chance to test different mailbox deletion scenarios with Exchange, and I warmed up slightly to the potential upside that AD Recycle Bin brings to the table.
Before I get too far ahead of myself, I must note that IT administrators who use Active Directory as their directory service and identity management tool typically exercise extreme care when deleting objects (users, computers, and so forth) from the directory. They realize that the deletion of those objects can be restored from a backup, but the pain that comes from implementing that restore can be frustrating. Thus, Windows Server 2008 R2 has included a Recycle Bin feature for AD objects so that you can restore a deleted user in much the same way you might restore a deleted file.
[ Read more about J. Peter Bruzzese's view of the new Active Directory features in "Thumbs-up, thumbs-down: Windows Server 2008 R2 Active Directory." | Learn more about Windows Server 2008 R2 in "Win Server 2008 R2 polishes up an already sleek server OS." ]
But "in much the same way" means without the visual ease of using the Recycle Bin for undeleting files, and the obtuse design of the AD Recycle Bin is one of my complaints. When you think of the Recycle Bin, you think of a little graphical garbage receptacle that you can open, see your deleted items, and easily restore those items -- not so with the AD Recycle Bin.
First, you have to enable the AD Recycle Bin on your server, and you cannot do that unless every domain controller in the forest is running Windows Server 2008 R2 -- ugh. You have to decide to make the switch on the domain controller side; otherwise, you can forget the AD Recycle Bin. In addition, once you enable the AD Recyle Bin, you cannot disable it. Keep in mind that if you enable the AD Recyle Bin after you delete the object, you're stuck. You cannot enable it and then think you can restore that object easily.
To enable the AD Recyle Bin, go through PowerShell and use the cmdlet structure shown here: