ANAVEM
fr
Reference
Masterclassmedium

How to Enable Active Directory Recycle Bin on Windows Server 2022

Emanuel DE ALMEIDA
3/13/2026 15 MIN 0 VIEWS

Executive Summary

Enable and configure Active Directory Recycle Bin to recover deleted AD objects without backups. Learn both PowerShell and GUI methods with verification steps.

What are the prerequisites for enabling Active Directory Recycle Bin on Windows Server 2022?

Before diving into the configuration, let's verify your environment meets all requirements. The Active Directory Recycle Bin feature requires specific conditions that must be met before activation.

Open an elevated PowerShell session and check your forest functional level:

Import-Module ActiveDirectory
Get-ADForest | Format-List FunctionalLevel

The output must show Windows2008R2Forest or higher. If you see Windows2008Forest or lower, you'll need to raise the functional level first using adprep.exe or the GUI.

Next, verify your schema version meets the minimum requirement of version 47:

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

Check that all domain controllers are online and replicating properly:

repadmin /showrepl
Warning: Enabling AD Recycle Bin is completely irreversible. Once enabled, you cannot disable it. All existing tombstone objects will be permanently deleted when you activate the feature.

How do you enable Active Directory Recycle Bin using the GUI method?

The graphical method provides visual confirmation and is perfect for one-time setup. Open Server Manager and navigate to Tools > Active Directory Administrative Center, or run dsac.exe from an elevated command prompt.

In ADAC, select your domain from the left navigation pane. If your domain isn't visible, click Manage > Add Navigation Nodes and add your domain manually.

Look for the Tasks pane on the right side and click Enable Recycle Bin. A warning dialog will appear explaining that this action is irreversible and will delete existing tombstone objects. Click OK to proceed with the activation.

A second dialog will prompt you to refresh the Administrative Center. Click OK and then press F5 or click the refresh icon to update the interface.

After refreshing, verify the activation by checking that the "Enable Recycle Bin" option is now grayed out and a new "Deleted Objects" container appears in your domain navigation tree.

Pro tip: If you have multiple domains in your forest, enabling the Recycle Bin in one domain automatically enables it forest-wide for all domains. You only need to perform this operation once per forest.

What PowerShell commands enable Active Directory Recycle Bin?

For automation scenarios or when GUI access isn't available, PowerShell provides a scriptable solution. First, gather the required forest information:

$ForestDN = (Get-ADRootDSE).rootDomainNamingContext
$ForestName = (Get-ADForest).Name
Write-Host "Forest DN: $ForestDN"
Write-Host "Forest Name: $ForestName"

Now enable the Recycle Bin feature using the Enable-ADOptionalFeature cmdlet with the exact distinguished name path:

Enable-ADOptionalFeature -Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Services,CN=Configuration,$ForestDN" -Scope ForestOrConfigurationSet -Target $ForestName

When prompted, type Y and press Enter to confirm this irreversible operation.

Verify successful activation by checking the feature status:

Get-ADOptionalFeature -Filter 'Name -eq "Recycle Bin Feature"' | Format-List Name,EnabledScopes

The EnabledScopes property should display your forest DN, confirming the feature is active across your entire forest.

How do you configure deleted object lifetime settings in Active Directory?

The default retention period for deleted objects is 180 days, but you can adjust this based on your organization's recovery requirements. Check the current deletedObjectLifetime setting:

Get-ADObject "CN=Directory Service,CN=Services,CN=Configuration,$((Get-ADRootDSE).configurationNamingContext)" -Properties deletedObjectLifetime | Format-List deletedObjectLifetime

If the value shows <not set>, the system uses the default 180-day retention. To modify this setting (for example, extending it to 365 days):

Set-ADObject "CN=Directory Service,CN=Services,CN=Configuration,$((Get-ADRootDSE).configurationNamingContext)" -Replace @{deletedObjectLifetime=365}

Also verify the tombstone lifetime setting, which determines when objects are permanently purged from the system:

Get-ADObject "CN=Directory Service,CN=Services,CN=Configuration,$((Get-ADRootDSE).configurationNamingContext)" -Properties tombstoneLifetime | Format-List tombstoneLifetime

The tombstone lifetime should always be longer than the deleted object lifetime to ensure proper cleanup sequencing.

Pro tip: Align your deletedObjectLifetime with your backup retention policy. This provides multiple recovery options and ensures you're not relying solely on the Recycle Bin for long-term recovery scenarios.

How do you test and verify Active Directory Recycle Bin functionality?

Testing the Recycle Bin ensures it works correctly before you need it in an emergency. Create a test organizational unit in ADAC by right-clicking your domain and selecting New > Organizational Unit. Name it "Test-RecycleBin-OU" for easy identification.

After creating the OU, right-click it and select Delete. Confirm the deletion when prompted by the system.

Navigate to the Deleted Objects container in ADAC. You should see your deleted OU listed with a red X icon and additional metadata showing when it was deleted and its original location.

To restore the object, right-click the deleted OU and select Restore to return it to its original location. Alternatively, choose "Restore To" to specify a different parent container for the restored object.

Verify the restoration by navigating back to your domain root and confirming the OU appears with all its original properties intact.

What PowerShell commands recover deleted Active Directory objects?

PowerShell provides powerful capabilities for bulk recovery operations and automation. To view all deleted objects in your domain:

Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties Name,Deleted,LastKnownParent | Format-Table Name,Deleted,LastKnownParent -AutoSize

To restore a specific object by name:

Get-ADObject -Filter 'isDeleted -eq $true -and Name -eq "Test-RecycleBin-OU"' -IncludeDeletedObjects | Restore-ADObject

For more complex recovery scenarios, you can restore objects to different locations:

$DeletedObject = Get-ADObject -Filter 'isDeleted -eq $true -and Name -eq "Test-RecycleBin-OU"' -IncludeDeletedObjects
Restore-ADObject -Identity $DeletedObject -TargetPath "OU=Restored,DC=yourdomain,DC=com"

To perform bulk recovery of recently deleted objects (within the last 24 hours):

$Yesterday = (Get-Date).AddDays(-1)
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties Deleted | Where-Object {$_.Deleted -gt $Yesterday} | Restore-ADObject

Verify successful recovery by querying for the objects without the -IncludeDeletedObjects parameter to confirm they're visible in normal AD operations.

How do you monitor and maintain Active Directory Recycle Bin performance?

Regular monitoring prevents performance issues and ensures the Recycle Bin operates efficiently. Create a monitoring script to track deleted objects count and age distribution:

$DeletedObjects = Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties Name,Deleted,objectClass
$TotalCount = $DeletedObjects.Count
$OldObjects = $DeletedObjects | Where-Object {$_.Deleted -lt (Get-Date).AddDays(-150)}

Write-Host "Total deleted objects: $TotalCount"
Write-Host "Objects older than 150 days: $($OldObjects.Count)"

# Group by object type for analysis
$DeletedObjects | Group-Object objectClass | Sort-Object Count -Descending | Format-Table Name,Count

Schedule this script to run weekly and alert administrators if the deleted object count grows unexpectedly large, which could indicate bulk deletion events or potential security issues.

Monitor replication health to ensure deleted objects replicate properly across all domain controllers:

repadmin /replsummary

Check for replication errors that might affect Recycle Bin functionality:

repadmin /showrepl * /errorsonly
Warning: Large numbers of deleted objects can impact Active Directory performance. Consider purging very old deleted objects if your Recycle Bin contains thousands of items and you have adequate backup coverage for those time periods.

What backup strategies complement Active Directory Recycle Bin?

While the Recycle Bin provides excellent protection against accidental deletions, it doesn't replace a comprehensive backup strategy. The Recycle Bin cannot protect against AD database corruption, malicious bulk deletions exceeding your retention period, or attribute modifications (it only protects deletions).

Configure Windows Server Backup for regular system state backups:

wbadmin start systemstatebackup -backupTarget:E: -quiet

Document comprehensive recovery procedures and train your team on both Recycle Bin recovery and traditional authoritative restore methods. Your recovery runbook should include step-by-step procedures for identifying deleted objects, PowerShell commands for bulk recovery, escalation procedures for complex scenarios, and contact information for senior administrators.

Test your recovery procedures quarterly by deliberately deleting test objects and recovering them using both GUI and PowerShell methods. This ensures your team can execute recovery operations efficiently during actual incidents.

Verify that your backup strategy covers both Recycle Bin recovery scenarios and traditional authoritative restore situations. Test these procedures in a lab environment before implementing them in production to avoid surprises during critical recovery operations.

Pro tip: Create custom PowerShell functions for common recovery tasks and store them in your PowerShell profile. This significantly speeds up recovery operations during high-stress situations when every minute counts.

Step-by-Step Implementation

1

Verify Prerequisites and Forest Functional Level

Before enabling the Recycle Bin, check your forest meets the minimum requirements. Open an elevated PowerShell session and verify your forest functional level.

Import-Module ActiveDirectory
Get-ADForest | Format-List FunctionalLevel

The output should show Windows2008R2Forest or higher. If it shows Windows2008Forest or lower, you'll need to raise the functional level first.

Next, verify your schema version meets requirements:

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

The objectVersion should be 47 or higher. Also check that all domain controllers are replicating properly:

repadmin /showrepl
Warning: Enabling AD Recycle Bin is irreversible. Once enabled, you cannot disable it. All existing tombstone objects will be permanently deleted when you enable the feature.
2

Enable Recycle Bin Using Active Directory Administrative Center

The GUI method is straightforward and provides visual confirmation. Open Server Manager and navigate to Tools > Active Directory Administrative Center, or run dsac.exe from an elevated command prompt.

In ADAC, select your domain from the left navigation pane. If your domain isn't visible, click Manage > Add Navigation Nodes and add your domain.

In the Tasks pane on the right, click Enable Recycle Bin. You'll see a warning dialog explaining that this action is irreversible and will delete existing tombstone objects. Click OK to proceed.

A second dialog will appear asking you to refresh the Administrative Center. Click OK and then press F5 or click the refresh icon.

Verification: After refreshing, the "Enable Recycle Bin" option should be grayed out, and you should see a new "Deleted Objects" container in your domain navigation.

Pro tip: If you have multiple domains in your forest, enabling the Recycle Bin in one domain automatically enables it forest-wide for all domains.
3

Enable Recycle Bin Using PowerShell Commands

For automation or when GUI access isn't available, use PowerShell. First, get your forest root domain name and distinguished name:

$ForestDN = (Get-ADRootDSE).rootDomainNamingContext
$ForestName = (Get-ADForest).Name
Write-Host "Forest DN: $ForestDN"
Write-Host "Forest Name: $ForestName"

Now enable the Recycle Bin feature using the Enable-ADOptionalFeature cmdlet:

Enable-ADOptionalFeature -Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Services,CN=Configuration,$ForestDN" -Scope ForestOrConfigurationSet -Target $ForestName

When prompted, type Y and press Enter to confirm the irreversible operation.

Verification: Check that the feature is enabled:

Get-ADOptionalFeature -Filter 'Name -eq "Recycle Bin Feature"' | Format-List Name,EnabledScopes

The EnabledScopes should show your forest DN, confirming successful activation.

4

Configure Deleted Object Lifetime Settings

By default, deleted objects remain in the Recycle Bin for 180 days (deletedObjectLifetime). You can modify this value based on your organization's needs. Check the current setting:

Get-ADObject "CN=Directory Service,CN=Services,CN=Configuration,$((Get-ADRootDSE).configurationNamingContext)" -Properties deletedObjectLifetime | Format-List deletedObjectLifetime

If the value is <not set>, it defaults to 180 days. To modify it (for example, to 365 days):

Set-ADObject "CN=Directory Service,CN=Services,CN=Configuration,$((Get-ADRootDSE).configurationNamingContext)" -Replace @{deletedObjectLifetime=365}

Also check the tombstone lifetime, which determines when objects are permanently purged:

Get-ADObject "CN=Directory Service,CN=Services,CN=Configuration,$((Get-ADRootDSE).configurationNamingContext)" -Properties tombstoneLifetime | Format-List tombstoneLifetime

The tombstone lifetime should be longer than the deleted object lifetime to ensure proper cleanup.

Pro tip: Set deletedObjectLifetime to match your backup retention policy. This ensures you have multiple recovery options available.
5

Test Object Deletion and Recovery via GUI

Create a test organizational unit to verify the Recycle Bin functionality. In ADAC, right-click your domain and select New > Organizational Unit. Name it "Test-RecycleBin-OU".

After creating the OU, right-click it and select Delete. Confirm the deletion when prompted.

Now navigate to the Deleted Objects container in ADAC. You should see your deleted OU listed with a red X icon and additional attributes showing when it was deleted.

To restore the object, right-click the deleted OU and select Restore. The object will be restored to its original location. Alternatively, select "Restore To" to choose a different parent container.

Verification: Navigate back to your domain root and confirm the OU has been restored with all its original properties intact.

Clean up by deleting the test OU again (you can leave it in Deleted Objects for future testing).

6

Recover Deleted Objects Using PowerShell

PowerShell provides more flexibility for bulk operations and scripting. To view all deleted objects in your domain:

Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties Name,Deleted,LastKnownParent | Format-Table Name,Deleted,LastKnownParent -AutoSize

To restore a specific object by name (replace "Test-RecycleBin-OU" with your object name):

Get-ADObject -Filter 'isDeleted -eq $true -and Name -eq "Test-RecycleBin-OU"' -IncludeDeletedObjects | Restore-ADObject

For more complex scenarios, you can restore objects to different locations:

$DeletedObject = Get-ADObject -Filter 'isDeleted -eq $true -and Name -eq "Test-RecycleBin-OU"' -IncludeDeletedObjects
Restore-ADObject -Identity $DeletedObject -TargetPath "OU=Restored,DC=yourdomain,DC=com"

To restore all objects deleted within the last 24 hours:

$Yesterday = (Get-Date).AddDays(-1)
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties Deleted | Where-Object {$_.Deleted -gt $Yesterday} | Restore-ADObject

Verification: Use Get-ADObject without the -IncludeDeletedObjects parameter to confirm restored objects are visible in normal AD queries.

7

Monitor and Maintain the Recycle Bin

Regular monitoring ensures the Recycle Bin functions properly and doesn't consume excessive space. Create a monitoring script to check deleted objects count and age:

$DeletedObjects = Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Properties Name,Deleted,objectClass
$TotalCount = $DeletedObjects.Count
$OldObjects = $DeletedObjects | Where-Object {$_.Deleted -lt (Get-Date).AddDays(-150)}

Write-Host "Total deleted objects: $TotalCount"
Write-Host "Objects older than 150 days: $($OldObjects.Count)"

# Group by object type
$DeletedObjects | Group-Object objectClass | Sort-Object Count -Descending | Format-Table Name,Count

Set up a scheduled task to run this script weekly and alert administrators if the count grows unexpectedly large.

Monitor replication health to ensure deleted objects replicate properly across all domain controllers:

repadmin /replsummary

Check for any replication errors that might affect Recycle Bin functionality:

repadmin /showrepl * /errorsonly
Warning: Large numbers of deleted objects can impact AD performance. Consider purging very old deleted objects if your Recycle Bin contains thousands of items and you have adequate backup coverage.
8

Implement Backup Strategy and Best Practices

While the Recycle Bin provides excellent protection against accidental deletions, maintain a comprehensive backup strategy. The Recycle Bin doesn't protect against:

  • Corruption of AD database
  • Malicious bulk deletions that exceed your retention period
  • Attribute modifications (only deletions are protected)

Configure Windows Server Backup to create regular system state backups:

wbadmin start systemstatebackup -backupTarget:E: -quiet

Document your recovery procedures and train your team on both Recycle Bin recovery and authoritative restore procedures. Create a recovery runbook that includes:

  • Steps to identify deleted objects
  • PowerShell commands for bulk recovery
  • Escalation procedures for complex scenarios
  • Contact information for senior administrators

Test your recovery procedures quarterly by deliberately deleting test objects and recovering them using both GUI and PowerShell methods.

Verification: Ensure your backup strategy covers both Recycle Bin recovery and traditional authoritative restore scenarios. Test restore procedures in a lab environment before implementing in production.

Pro tip: Create PowerShell functions for common recovery tasks and store them in your PowerShell profile. This speeds up recovery operations during stressful situations.

Further Intelligence

Deepen your knowledge with related resources

Configure OneDrive Auto Sign-in Using Microsoft Intune
tutorial
Cloud Computing

Configure OneDrive Auto Sign-in Using Microsoft Intune

Deep Dive
Change User Profile Folder Name in Windows 11 25H2
tutorial
Windows

Change User Profile Folder Name in Windows 11 25H2

Deep Dive
Block USB Drives Using Microsoft Intune Attack Surface Reduction Policies
tutorial
Cybersecurity

Block USB Drives Using Microsoft Intune Attack Surface Reduction Policies

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...