How to recover a deleted Active Directory object 

Most organizations today are still running Active Directory on-premises as their identity and access management solution. Many businesses are also synchronizing it with cloud directories as part of a hybrid configuration. Recovering Active Directory and deleted objects is an important part of an overall disaster recovery strategy – so let’s look at how to recover a deleted Active Directory account step-by-step.  

Disaster recovery for Active Directory is extremely important 

Businesses need to give due attention to Active Directory as part of their overall disaster recovery strategy. Since Active Directory is usually the central identity and access management solution in the enterprise datacenter, losing access to it can cause major issues. 

If most organizations are running Active Directory on-premises, they synchronize their directories with cloud directories like Microsoft Entra ID. So, maintaining access to Active Directory Domain Services is important. Internal apps may use SQL Server connections, which rely on Microsoft Active Directory for service principal names. If Active Directory goes down, these will likely have issues. 

Active Directory recycle bin 

The Active Directory recycle bin is a key part of a strategy to be able to easily recover Active Directory objects that have been deleted. However, it first needs to be enabled. What exactly is the Active Directory recycle bin? The Active Directory recycle bin is a special container in Active Directory that was introduced with Windows Server 2008 R2 and newer domain controllers. When you enable it, deleted Active Directory objects are stored in the recycle bin for the configured amount of time. 

How long do objects stay in recycle bin? 

It’s important to understand how long objects stay in the Active Directory recycle bin in case you need to recover them. There’s an attribute configured in Active Directory that determines the period of time objects remain in the recycle bin. The attribute is the tombstoneLifetime. You can configure this to a custom value. However, the default values for this value are the following: 

  • Windows Server 2008 R2 and later: The default tombstone lifetime is 180 days.
  • Older versions: The default tombstone lifetime is 60 days

You can check the value that is configured for your domain with PowerShell. Run the following from one of your domain controllers, replacing the domain portion with the values for your domain:

Get-ADObject -SearchBase "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -Filter * -Property tombstoneLifetime | Select-Object -ExpandProperty tombstoneLifetime 

Below, you can see the value of 180 days in the test domain.  

Powershell window with code to check the length of time objects stay in the recycle bin

So, just note that the recycle bin will not keep objects around forever. You will need to decide whether or not you want to restore these objects during the tombstone lifetime interval. 

Configuring Active Directory recycle bin 

Now, let’s look briefly at configuring the Active Directory recycle bin and how this is done. First, navigate to and open the Active Directory Administrative Center. Then on the right hand side under the Tasks pane, you will see the option to Enable Recycle Bin

Enable recycle bin in Active Directory

Once you click to Enable the Recycle Bin, you will see the Enable Recycle Bin Confirmation dialog box. Click OK on the box to enable it. As the message reads, it is important to note that once enabled, it cannot be disabled. 

Confirm enable recycle bin Active Directory
Enable Recycle Bin confirmation

You will need to give replication time to replicate the changes across your domain if you have multiple domain controllers.  

The recycle bin is enabled and needs time to replicate across the domain
The recycle bin is enabled and needs time to replicate across the domain

Once you have enabled it, if you refresh your Active Directory Administrative Center interface, you will now see the Enable Recycle Bin link is greyed out: 

The Enable Recycle Bin is greyed out after it has been enabled
The Enable Recycle Bin is greyed out after it has been enabled

Now that we have the Active Directory recycle bin enabled, we can look at the process to use it to recover a deleted AD object. 

Recovering a deleted AD object 

Let’s say that an admin accidentally or intentionally deleted the wrong users from Active Directory. Or, maybe an automated script wasn’t tested and it targeted the wrong users. The objects get deleted. Often disaster recovery events do not come from malicious users or behavior, but accidental deletions and other actions. 

Deleting users in Active Directory
Deleting users in Active Directory

If we go back to the Active Directory Administrative Center, we will see that we have a folder under the Domain called Deleted Objects. This is the special container that is created when we enable the Active Directory recycle bin. 

Viewing the deleted objects container in AD
Viewing the deleted objects container

Now, if we double click the folder, we will see any objects that have been deleted within the 180 day tombstone interval (in this example domain). If we double-click the special folder in the administrative center, we will see the two objects that were deleted. 

Viewing deleted objects in the Active Directory recycle bin deleted objects folder
Viewing deleted objects in the Active Directory recycle bin deleted objects folder

If we click and select the users, and then right-click, we get the options to ‘restore’ or ‘restore to’: 

  • Restore – will restore the objects to the same location in Active Directory 
  • Restore to – will give you the option to select where you want to restore the objects 
Viewing the restore options in Active Directory recycle bin
Viewing the restore options in Active Directory recycle bin

If we select to restore, the objects will disappear as they have been restored back to the original location. 

Screenshot of the deleted AD objects that are restored
The objects are restored

Before refreshing Active Directory Users and Computers, we see that testuser and testuser1 are not there: 

Before refreshing Active Recovery, after the restore
Before refreshing after the restore

After we refresh the view of the OU in ADUC, we can see the two users appear once again. 

The deleted objects are recovered in the Active Directory OU
The deleted objects are recovered in the Active Directory OU

Using PowerShell for the recycle bin 

We can also use PowerShell to interact with the Active Directory recycle bin. You can use the cmdlet below to browse objects: 

Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Property * | Format-List Name,ObjectGUID,Deleted,DistinguishedName 

This will return a list of deleted objects that you can then use to restore using PowerShell. You can restore an object with PowerShell using the ObjectGUID or the Distinguished Name using the following cmdlets. 

Restore-ADObject -Identity <ObjectGUID> 

Restore-ADObject -Identity "CN=Your User,OU=Users,DC=yourdomain,DC=com" 

Limitations of the Active Directory recycle bin 

There are a few limitations of the AD recycle bin to be aware of when using it for a type of disaster recovery in your environment. These include the following limitations: 

  • The AD recycle bin is not enabled by default. So, if it isn’t enabled before the deletion event, it won’t help you 
  • It doesn’t protect you against hardware failure of your domain controllers 
  • It doesn’t store any set of “versions” of the object  
  • It only stores the last version of the deleted object and does not allow you to rollback changes of object attributes 

Businesses need to recognize these limitations and have the means to back-up and restore their Active Directory infrastructure using other data protection tools. While it isn’t a back-up of your Active Directory, the recycle bin can work in conjunction with back-ups as a very quick and easy way to recover objects when needed. 

Keep your Active Directory secure 

Recovering Active Directory objects is an extremely important task that may come up from time to time. The Active Directory recycle bin is a built-in tool you can enable, which allows quick recovery of AD objects. You can easily enable this with the Active Directory Administrative Center and also recover objects from there as well. As expected, you can also use PowerShell to interact with the Active Directory recycle bin. Be aware of the limitations of the AD recycle bin, such as no versioning and the fact that you can’t granularly restore attributes. 

In addition to making sure you are backing up your Active Directory objects and using things like the AD recycle bin, increasing password security across the board is a great way to make sure your Active Directory environment is more secure. Specops Password Policy continuously scans your Active Directory against our database of 4 billion unique compromised passwords, alerting end users if they’re using breached credentials. Try a live demo and see how Specops Password Policy could fit in with your organization.   

Any questions related to securing your Active Directory? We’d be happy to help – speak to an expert today 

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog