Master Active Directory object recovery. We detail enabling the Windows Server 2012 Recycle Bin, restoring items, and the commands to Windows Server 2012 empty Recycle Bin for all users when necessary for maintenance.
In the past, it might have been chaos if a critical user account or an entire security group disappeared, because you had to restore them from a backup, which could bring your system to a halt.
The Active Directory (AD) Recycle Bin in Windows Server 2012 enables the restoration of accidentally deleted AD objects (users, groups, OUs) without needing to restore from backup, provided the forest functional level is Windows Server 2008 R2 or higher. It is enabled via the AD Administrative Center (ADAC).
Learn how to enable Windows Server 2012 Recycle Bin and how to restore deleted AD objects more easily with the step-by-step guide now.
It's crucial to learn what this feature actually is. What is the Windows Server 2012 Recycle Bin? In simple terms, the Windows Server 2012 Recycle Bin is a feature that preserves deleted Active Directory objects in a live, queryable state. When you delete something like a user, group, or organizational unit (OU), it's moved into this special Recycle Bin container, retaining most of its attributes and group memberships.
In older systems, where deleted objects effectively vanished, requiring a complex and disruptive authoritative restore to recover them. The elegance of the Active Directory Recycle Bin 2012 R2 lies in its simplicity: restoration now takes just a few clicks or a straightforward PowerShell command, reinstating the object completely. This shifts the process from a major, hours-long recovery operation to a quick two-minute remedy.
It eliminates the need to restart domain controllers in Directory Services Restore Mode for most recovery scenarios, meaning business continuity isn't impacted. Furthermore, it preserves critical security identifiers (SIDs) and group memberships, so restored users retain their access permissions seamlessly.
There are some prerequisites you need to tick first.
Once meets all the requirements, you're ready to turn on the Windows Server 2012 Active Directory Recycle Bin.
You've got two main paths to enable Windows Server 2012 Recycle Bin: the graphical interface and the command line. While the GUI is straightforward for a one-off, PowerShell offers precision and is the tool of choice for scripting and remote management.
For most admins, PowerShell is the way to go. It's fast, scriptable, and leaves no room for ambiguity. Here’s the lowdown on how to enable Active Directory Recycle Bin 2012 R2 with a few keystrokes.
First, fire up Windows PowerShell with administrative privileges on a domain controller or a machine with the RSAT tools installed. The magic command is Enable-ADOptionalFeature. You'll need to specify which feature and the scope. The critical step is targeting the correct feature: the Recycle Bin Feature. You also must decide the scope—affecting the entire forest or just a specific domain. For most organizations, the forest scope is the way to go.
The command looks something like this:
Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com' -Scope ForestOrConfigurationSet -Target 'yourdomain.com'
Warning: this action is permanent and irreversible for that forest. Once you enable the Recycle Bin in Active Directory 2012, you can't disable it. The system will warn you, so take a breath, double-check your domain context, and then proceed.
Here is how to enable it in the GUI interface on Windows Server 2012:
1. Click Start > Administrative Tools in Windows Server 2012.
2. Double-click the Active Directory Administrative Center to open it.
3. Click the domain you have on the left side, and tap Enable Recycle Bin.
4. Hit OK to confirm.
Whether you're using the Active Directory Administrative Center (ADAC) or PowerShell, the process is refreshingly simple.
1. In ADAC, navigate to your domain, and in the left-hand pane, you'll see a new container called "Deleted Objects".
2. Clicking on it reveals all the items sitting in the Windows Server 2012 Recycle Bin.
3. Find what you need, right-click, and select "Restore". You can choose to restore it to its original location or a different one.
1. Open PowerShell with administrative privileges.
2. Use the Get-ADObject cmdlet with the -IncludeDeletedObjects parameter to find the item. Input the command to list all the deleted objects:
Get-ADObject -IncludeDeletedObjects -Filter {IsDeleted -eq $true} | Format-List DistinguishedName, ObjectGUID, Name, ObjectClass
3. Note the ObjectGUID or DistinguishedName of the object you want to restore.
4. Use the Restore-ADObject cmdlet with the object's identifier to restore the object to the original location:
Restore-ADObject -Identity "PASTE_OBJECT_GUID_OR_DISTINGUISHED_NAME_HERE"
Replace the “PASTE_OBJECT_GUID_OR_DISTINGUISHED_NAME_HERE” with your object GUID or DestinguishedName.
Now for the fun part—actually getting your stuff back. Whether you're using the Active Directory Administrative Center (ADAC) or PowerShell, the process is refreshingly simple.
The Recycle Bin, like any storage system, has its limits. Deleted objects are retained for a duration. This period is usually configured for 180 days, after which the objects are permanently and automatically removed from the system.
What exactly is the Windows Server 2012 Active Directory Recycle Bin?
A: It is a live, queryable storage feature for deleted AD objects like users and groups. Unlike the old "tombstone" method, it allows instant restoration without a server reboot or full backup recovery.
Can I enable the recycle bin on a Windows Server 2012 R2 domain controller?
A: Yes. The requirement is the forest functional level (Windows Server 2012 or higher), not the individual DC's OS. Once enabled at the forest level, it replicates to all domains.
What is the PowerShell command to enable the Active Directory Recycle Bin?
A: Use Enable-ADOptionalFeature. You must run it as admin with the correct feature identity and forest scope. Example: Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,...' -Scope ForestOrConfigurationSet -Target 'contoso.com'. This action is permanent.
How long do deleted items stay in the Windows Server 2012 Recycle Bin?
A: Items are kept for the "deleted object lifetime," which defaults to 180 days (linked to tombstone lifetime). After this, they are purged permanently.
Is it possible to recover an object deleted before enabling the Recycle Bin?
A: No. The feature only works for deletions that occur after it is enabled. Objects deleted earlier cannot be recovered this way.
How do I permanently delete items from the Recycle Bin for all users?
A: Use PowerShell to windows server 2012 empty Recycle Bin for all users. Execute:
Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects | Remove-ADObject -Confirm:$false
This command permanently deletes all objects in the Recycle Bin. It is irreversible, so you must have a verified backup first.
While the Windows Server 2012 Recycle Bin is a powerful tool, it cannot recover objects that were deleted before it was enabled or have been permanently purged from it. In these cases, you must rely on external data recovery software. MyRecover is one such tool designed to scan storage drives for deleted data, including Windows Server system files and Active Directory components. This step-by-step guide explains the process for attempting recovery when the Recycle Bin is not an option.
Important Prerequisites:
Step-by-Step Guide to Recover Permanently Deleted Objects with MyRecover
1. Download and install MyRecover on your Windows Server 2012 (R2). Do not install it on the same drive you are trying to recover from.
2. Open MyRecover, tap Deleted Files Recovery, then choose the drive where the deleted objects were located before, and hit Scan. Wait for it to complete and hit OK.
3. Preview the files and ensure they are intact, tick the objects you need, and hit Recover.
4. Choose a different location to keep them safe.
Recovering the ntds.dit file is only half the battle. You cannot simply copy it back into a running server. You must perform an Authoritative Restore in Directory Services Restore Mode (DSRM), which is a complex and disruptive process:
1. Boot your domain controller into Directory Services Restore Mode.
2. Use ntdsutil to create a backup of the current, damaged database.
3. Replace the existing ntds.dit in the NTDS folder with the one you recovered using MyRecover.
4. Within ntdsutil, mark the specific deleted object or entire subtree as authoritative so it replicates to other domain controllers.
5. Reboot the server normally and allow replication.