Home Learn How to Enable Recycle Bin in Active Directory Active Directory Recycle Bin Learn how to enable the Active Directory Recycle Bin and restore deleted AD objects with this step-by-step guide for IT admins. Request demo How to Enable Recycle Bin in Active Directory How to Enable Recycle Bin in Active Directory Deleted vs. Recycled Object States Best Practices Case Study Commvault’s Support How to Enable Recycle Bin in Active Directory How to Enable Recycle Bin in Active Directory Active Directory (AD) serves as the backbone of identity management for countless organizations worldwide, with its database containing critical user accounts, groups, and security policies. The accidental deletion of these objects can disrupt business operations and create significant administrative challenges without proper recovery mechanisms in place.The Active Directory Recycle Bin feature provides administrators with a safety net, allowing for quick restoration of deleted objects without the need for complex backup restoration procedures. This functionality preserves all object attributes and group memberships, dramatically simplifying what was once a tedious recovery process.Organizations that implement the Active Directory Recycle Bin gain operational resilience against common administrative errors while maintaining business continuity. The feature represents a critical component of any comprehensive AD management strategy, particularly for enterprises that cannot afford extended downtime or data loss. definition What is the Active Directory Recycle Bin? The Active Directory Recycle Bin functions similarly to the Windows Recycle Bin on desktop computers, integrating seamlessly with standard AD operations to provide a recovery mechanism for deleted objects.When enabled, this feature preserves deleted objects in a recoverable state, maintaining their attribute values and group memberships for easier restoration. Administrators can access this functionality through both the Active Directory Administrative Center (ADAC) and PowerShell, making it accessible regardless of management preference.In AD environments, deleted objects transition through two distinct states: “deleted” and “recycled.” In the deleted state, most object attributes remain intact and recoverable, while in the recycled state, most attributes are stripped away, making recovery significantly more difficult. Without the Active Directory Recycle Bin enabled, objects immediately enter a “tombstone” state, where many attributes are permanently lost, complicating recovery efforts.For legacy Windows Server forests, the Active Directory Recycle Bin feature is disabled by default and requires explicit activation. The feature first became available in Windows Server 2008 R2 but requires a forest functional level of at least Windows Server 2008 R2 to implement. Once enabled, the change applies forest-wide and cannot be reversed, making proper planning essential before activation. Deleted vs. Recycled Object States Deleted vs. Recycled Object States This table compares the key differences between deleted and recycled object states in AD: StateRetention PeriodAttributes PreservedRecovery ComplexityBusiness ImpactDeleted180 days (default)Most attributes, including group membershipsLow – Full recovery possibleMinimal disruptionRecycledAfter deleted retention period expiresMinimal attributes; most are strippedHigh – Limited recovery optionsPotential data loss How to Enable Active Directory Recycle Bin How to Enable Active Directory Recycle Bin Enabling the Active Directory Recycle Bin requires careful preparation due to its irreversible nature. The process can be completed through either the graphical interface of the ADAC or via PowerShell commands, depending on administrator preference and environment requirements.Before proceeding with activation, several prerequisites must be met to successfully implement this feature. Most importantly, your forest functional level must be at Windows Server 2008 R2 or higher, and the administrator must have appropriate permissions within the forest to make this change.Follow these steps to enable the Active Directory Recycle Bin through the ADAC: Log in to a domain controller with an account that has Enterprise Admin privileges. Open the ADAC. In the navigation pane, right-click on the domain name and select “Raise Forest Functional Level” if not already at Windows Server 2008 R2 or higher. Navigate to the forest root domain in ADAC. In the Tasks pane, click “Enable Recycle Bin.” Review the warning message about the irreversible nature of this action. Click “OK” to confirm and enable the feature. Wait for replication to complete across all domain controllers. Alternatively, administrators can use PowerShell to enable this feature with the following command:Enable-ADOptionalFeature -Identity ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -Target <YourForestName> Prerequisites for Enabling Active Directory Recycle Bin Prerequisites for Enabling Active Directory Recycle Bin Before enabling the Active Directory Recycle Bin, verify that your environment meets these prerequisites: RequirementDetailsVerification MethodForest functional levelWindows Server 2008 R2 or higherRun Get-ADForest | Format-List functionalLevel in PowerShellAdministrative rightsEnterprise Admins group membershipRun whoami /groups in Command PromptDomain controller availabilityAll DCs must be online for proper replicationUse repadmin /showrepl to verify replication statusAD schema version47 or higherCheck using Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion Best Practices for Recovering AD Objects Best Practices for Recovering AD Objects Monitoring tombstone and retention settings plays a crucial role in successful data recovery operations. The default retention period for deleted objects is 180 days, but this can be customized to align with organizational requirements and compliance needs. Regular verification of these settings helps maintain optimal recovery capabilities and prevent unexpected data loss due to expired retention periods.Documentation forms the cornerstone of effective recovery procedures. When restoring deleted accounts, administrators should maintain detailed records of the recovery process, including verification of group memberships, security permissions, and other critical attributes. This documentation serves as both an audit trail and a reference for future recovery operations, reducing the risk of incomplete restorations.Regular testing of both the Recycle Bin functionality and traditional backup solutions validates recovery capabilities and identifies potential issues before they impact actual recovery scenarios. These tests should simulate various deletion scenarios and recovery requirements to provide comprehensive validation of recovery procedures. Best Practices for AD Object Recovery Best Practices for AD Object Recovery Best PracticeDescriptionBenefitsMonitor retention settingsRegularly verify and adjust tombstone lifetime and deleted object retention periodsPrevents premature object purging and maximizes recovery windowDocument recovery proceduresMaintain detailed records of recovery steps and object attributesCreates audit trail and speeds future recoveriesImplement least privilegeRestrict deletion capabilities to authorized administrators onlyReduces accidental deletion incidentsRegular recovery testingSchedule quarterly tests of object recovery proceduresValidates processes and identifies potential issues proactivelyGroup membership verificationVerify all group memberships after object restorationHelps prevent access issues and security gaps post-recovery Additional Recovery Options for AD Objects Additional Recovery Options for AD Objects Windows Server backups provide a comprehensive recovery option when the Recycle Bin cannot address specific recovery scenarios. System State backups capture the entire AD database, allowing for authoritative restores when needed. This approach proves particularly valuable for recovering objects whose retention period has expired or when recovering from more catastrophic failures.PowerShell offers powerful command-line capabilities for targeted recovery operations through commands like Restore-ADObject. This approach provides granular control over the recovery process, allowing administrators to specify exactly which objects to restore and how to handle any potential conflicts during the restoration process.The following points highlight how recovery approaches differ significantly depending on the tools used: Windows Server Backup Recovery: Requires taking the domain controller offline during recovery. Restores entire system state including AD database. More time-consuming but recovers objects regardless of retention period. Requires careful handling of authoritative/non-authoritative restoration. PowerShell Recovery: Can be performed while domain controller remains online. Allows for selective, granular recovery of specific objects. Limited to objects still within retention period. Preserves most object attributes when using Recycle Bin. Case Study Case Study: Bilthoven Biologicals Recovers from Ransomware Attack Bilthoven Biologicals (BBio), a pharmaceutical company specializing in vaccine production, faced a critical test of their data recovery capabilities when they experienced a major ransomware attack. The attack began with users reporting inability to access files or log in to systems, which led IT Consultant Paul Vries to discover a ransom note demanding payment for decryption of its files.“The ransomware spread through the domain field and the factory. Basically, everything connected to the Active Directory was compromised,” said Vries. The impact was immediate and potentially devastating for a company handling sensitive pharmaceutical data. BBio’s response team had to act quickly to contain the spread and assess the damage.The company’s first response was methodical: Disconnect the network and shut down infected servers and virtual machines while maintaining operation of unaffected systems to minimize disruption to vaccine production. It also prioritized clear communication with employees about the situation to maintain operational awareness throughout the organization.By the second day of the attack, Vries and the team successfully brought the AD and their backup environment back online. The recovery process benefited significantly from the intuitive interface of their backup solution. “We love the simplicity of the dashboard. With just a few clicks, we can restore a virtual machine or backups after an attack, which is vital in our line of work as a pharmaceutical company with very sensitive data,” Vries explained.The recovery effort involved round-the-clock work, with team members taking shifts to restore services throughout the night. Through this coordinated effort between the internal IT team and its managed service provider, BBio fully restored services across multiple offices and its factory in just nine days. Vries noted that without proper backups made before the attack, “the situation could have been much worse.”This incident highlighted several critical lessons for BBio: The necessity of a formal disaster recovery plan, which it lacked at the time of the attack. The importance of keeping critical backup infrastructure separated from the domain to prevent encryption during an attack. The value of implementing air gap protection for its hybrid environment. Following the attack, BBio implemented several improvements to its data protection strategy, including developing a comprehensive disaster recovery plan that prioritizes critical systems and establishes a clear recovery sequence. It also strengthened its ransomware protection by implementing air gap protection for its hybrid cloud and on-premises environment.“With proper protection, we can easily manage, protect, and recover data in the cloud and on-premises, even in the worst-case scenario,” said Vries, reflecting the company’s renewed confidence in its data resilience strategy. Commvault’s Support How Commvault Supports AD Commvault delivers comprehensive protection for AD environments through automated backup and recovery solutions for both on-premises and cloud-based deployments. The platform’s intelligent automation capabilities minimize administrative overhead while maximizing data protection, creating consistent, application-aware backups that maintain the integrity of the AD database and its objects.While the native Active Directory Recycle Bin provides basic recovery capabilities, Commvault complements and extends these features with enhanced recovery workflows. Commvault’s solutions offer simplified, guided recovery processes that reduce the technical complexity often associated with AD restoration, enabling even less experienced administrators to perform successful recoveries with confidence.Commvault’s granular restore capabilities allow administrators to recover specific AD objects, attributes, or entire organizational units without disrupting the broader environment. This precision helps minimize downtime during recovery operations while maintaining business continuity throughout the process. The platform also maintains detailed recovery logs and audit trails, supporting compliance requirements and providing documentation for regulatory purposes. Commvault AD Protection Features Commvault AD Protection Features The table highlights key features of Commvault’s AD protection capabilities: FeatureDescriptionAutomated backupScheduled, consistent backups of AD databases with application awarenessEnhanced recovery workflowGuided, simplified recovery processes with clear step-by-step instructionsGranular restore optionsAbility to recover specific objects, attributes, or organizational unitsMulti-environment supportProtection across on-premises, hybrid, and cloud AD deploymentsCompliance documentationDetailed audit trails and recovery reporting to support regulatory requirementsAD protection requires a comprehensive strategy that goes beyond native tools and basic backup solutions. Organizations need robust, automated solutions that protect AD data across hybrid environments while supporting rapid recovery when needed. By implementing both the Active Directory Recycle Bin and enterprise-grade backup solutions, organizations create multiple layers of protection for their critical identity infrastructure.We understand the critical role AD plays in your organization’s operations. Request a demo to see how we can help protect your AD environment. Related Terms Active Directory A directory service developed by Microsoft for Windows domain networks; essential in managing the identities and relationships that make up a network environment. Learn more Data Protection The practices, technologies, and policies used to safeguard data against unauthorized access, loss, corruption, and other threats. Learn more Backup Policy A set of rules and procedures that describe an enterprise’s strategy for creating backup copies of data for safekeeping and recovery. Learn more related resources Explore related resources View all resources datasheet Backup and recovery for Microsoft Active Directory Discover comprehensive protection for your AD environments with automated backup and recovery solutions for both on-premises and cloud deployments. Demo video Active Directory backup Learn how Commvault delivers dedicated backup and recovery for Microsoft AD and Entra ID objects, attributes, permissions, and more. Demo video Automated forest recovery for Active Directory See how to automate and accelerate AD forest recovery with Commvault’s streamlined recovery workflows.