Love Affair with the AD Recycle Bin

Microsoft has finally made something amazing without a lot of hype and publicity.  I’m talking about the Active Directory Recycle Bin.

Image you delete a user object in Active Directory without much thought.  I know it’s a sin but it happens.  Now if you are on Windows Server 2003 Functional Level you can “Reanimate” that object.  Which basically means you’ve resurrected it from the graveyard of deleted objects and brought it back into operation.  You’ve gone from Hero to Goat and then back to Hero (or at least not goat).  Congratulations!!!

All of a sudden that previously deleted user tries to log on and access some files or permissions assigned to him/her but cannot.  You look at the AD account permissions and attributes and see that they’re are no longer a member of the Accounting, Marketing, Operations, etc. groups and many custom attributes are gone.  What the heck…after all you brought them back from the dead!!!

Well yes..BUT!!!

By default, Active Directory, strips many of the attributes of an object when it is deleted and places it in a “tombstoned” state until it gets physically removed.

During that time you can successfully restore the object but the problem is many of the important attributes are gone including user-group memberships.  In a pinch, you can restore these objects authoritatively from a system state back-up which works but is complex and disruptive since the DC has to go offline.

Now fast forward to Windows Server 2008 R2 AD Recycle Bin.  Prior to physically removing the object and the old “tombstone” (which is now called “recycled” state) there is the “deleted” state.  This allows for a period of time that an object can be fully restored and brought back without any loss or disruption.

The Deleted Object Lifetime is defined in the AD schema and sets the time an object will remain in the recycle bin until it is finally removed when the Garbage Collection process cleans things.

It is simple yet elegant.

For more: