Dear reader,
Do yourself a favor and enable AD Recycle Bin. You might never use, but if you ever do, I’m sure you’ll be thankful.
Enable AD Recycle Bin
Before hand make sure you are running your domain and forest at least as 2008 level.
Then, run the following command in a Active Directory Powershell console:
Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope ForestOrConfigurationSet -Target (Get-ADForest).RootDomain -Server (Get-ADForest).DomainNamingMaster
After this, your action in Active directory will be protected by AD Recycle Bin.
Protect from accidental deletion
The next step is to protect your objects form deletion. This will make sure that you can’t just press delete. you have to disable this option for that object and then delete.
You can run the below commands in an Active Directory Powershell console:
Get-ADUser -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true
Get-ADGroup -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true
Get-ADOrganizationalUnit -Filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true
This step is not required, but it also helps prevent accidents. Depending on your environment you might not want to enable Accidental Deletion Protection for all objects, but in my experience, Groups and Organizational Units are a must.
Recover user
Let’s say you’ve deleted a user, and for some reason you need it back.
Well, now that you’ve enable AD Recycle Bin, you don’t need to go get that weekly backup anymore and use AD Restore Mode.
Just run the below commands in powershell:
1. List deleted : Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects -property *
2. Restore-ADObject -identity “GUID”
And there you go. You have your user back. With any luck, no one will notice.