Criticisms and kudos for the Active Directory Recycle Bin

Undeleting users is easier in Windows Server 2008 R2 -- but not as easy as it could be

Windows Server 2008 R2 is adding to Active Directory's tools by providing a new AD Administrative Center, the AD Best Practices Analyzer, an AD module for PowerShell, and an AD Recycle Bin. I've covered the Recycle Bin in previous posts, but I recently had a chance to test different mailbox deletion scenarios with Exchange, and I warmed up slightly to the potential upside that AD Recycle Bin brings to the table.

Before I get too far ahead of myself, I must note that IT administrators who use Active Directory as their directory service and identity management tool typically exercise extreme care when deleting objects (users, computers, and so forth) from the directory. They realize that the deletion of those objects can be restored from a backup, but the pain that comes from implementing that restore can be frustrating. Thus, Windows Server 2008 R2 has included a Recycle Bin feature for AD objects so that you can restore a deleted user in much the same way you might restore a deleted file.

[ Read more about J. Peter Bruzzese's view of the new Active Directory features in "Thumbs-up, thumbs-down: Windows Server 2008 R2 Active Directory." | Learn more about Windows Server 2008 R2 in "Win Server 2008 R2 polishes up an already sleek server OS." ]

But "in much the same way" means without the visual ease of using the Recycle Bin for undeleting files, and the obtuse design of the AD Recycle Bin is one of my complaints. When you think of the Recycle Bin, you think of a little graphical garbage receptacle that you can open, see your deleted items, and easily restore those items -- not so with the AD Recycle Bin.

First, you have to enable the AD Recycle Bin on your server, and you cannot do that unless every domain controller in the forest is running Windows Server 2008 R2 -- ugh. You have to decide to make the switch on the domain controller side; otherwise, you can forget the AD Recycle Bin. In addition, once you enable the AD Recyle Bin, you cannot disable it. Keep in mind that if you enable the AD Recyle Bin after you delete the object, you're stuck. You cannot enable it and then think you can restore that object easily.

To enable the AD Recyle Bin, go through PowerShell and use the cmdlet structure shown here:

Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,

domain controller=<your domain name>, DC=<com, net or other extension>'

-Scope ForestOrConfigurationSet -Target

Once the AD Recyle Bin is enabled, items that are deleted can be undeleted or restored using either a PowerShell cmdlet or the Ldp tool. Let's say you deleted a user named Jeff Clarke and now want to restore the user. Use the command below to accomplish the task:

PS C:\Users\admin> Get-ADObject -Filter {displayName -eq "Jeff Clarke"}

-IncludeDeletedObjects | Restore-ADObject

That should do it. The user Jeff Clarke has returned, and you can find him back within the AD console. This all sounds quite positive, so why am I critical? For two reasons:

  1. Although technically I appreciate the reason to have Windows Server 2008 R2 on all domain controllers so that the forest functional level can be raised, I find the limitation to be a deal breaker, in that many IT shops will not make that move for a while. It becomes a feature that is never used due to the limitations.
  2. It would take nothing for Microsoft to make this tool easy to enable and easy to restore objects. And by "easy," I mean graphical. I've been on the bandwagon for administrators getting back to their command-line roots. But when you are stressed out of your mind because you deleted the wrong object and need to get it back, this is the wrong time to learn PowerShell.

[ Read more about returning to the command line in "Server Core: Time to start embracing the command line." ]

However, not to be a Mr. Negative, let me share my praises of AD Recycle Bin. I had Exchange 2007 installed on a member server that was running Windows Server 2008 connected to a Windows Server 2008 R2 domain running in the 2008 R2 forest functional level. (Note: Exchange 2007 is not supported on Windows Server 2008 R2 -- although that may change by release time -- but like many others I try to run the Exchange servers on member servers anyway.) I enabled the AD Recycle Bin and did a few tests with users I would create, delete, and restore. It worked perfectly. That's my first commendation.

Now it came for my testing of mailbox deletion and restores: I deleted a user from the Active Directory who also had a mailbox still connected to that account. To my surprise, I found that deleting the user also deleted the mailbox. The mailbox didn't go into the Disconnected Mailboxes section of Exchange. (If I had disconnected the mailbox before deleting the user, it would have. But in this case, it was still attached when I deleted the user.) However, when I restored the user via the AD Recyle Bin command in PowerShell, the mailbox automatically was restored as well. I was happy to see it was so simple. That's my second commendation.

I've mentioned two criticisms of and two commendations for the AD Recycle Bin in Windows Server 2008 R2. I'm excited to see how this tool develops by release time and with corresponding service packs. It is a keeper, no doubt. Do you agree? I'd like to hear your feedback and experiences as well.

Copyright © 2009 IDG Communications, Inc.

How to choose a low-code development platform