PowerShell – AD Recycle Bin Check or Enable…

When I begin working with a new customer Active Directory environment, one thing I always like to know is whether or not the AD Recycle Bin is enabled for safety.  If you don’t already know, the Active Directory Recycle Bin is a feature that appeared in the 2008 R2 era, and gave us the not-too-easy ability to save us from our own administrators.  Over the years, especially with Server 2012 R2, the ability to restore AD objects have become as easy as a few clicks.  I won’t say that it’s a “no-brainer”, because there are a couple reasons why you might not want to enable it, but I will say that it only takes deleting a couple objects accidentally to make a compelling argument for implementation.  For some further reading, check out this TechNet Guide.

If you want to use PowerShell to check if the AD Recycle Bin is enabled, run the following command to find out (requires that you have the PowerShell AD modules installed):

Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"'

…and if it is NOT enabled, you will see a result something like this in the image below; notice that among the other information, the “Enabled Scopes” is empty.

AdRecycleBinCheck

So if the Recycle Bin is NOT enabled, and you want it enabled, what then?  Well, if your Forest Functional level is already at Server 2008R2, one way is to enable it with the following PowerShell command:

Enable-ADOptionalFeature `
–Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com' `
–Scope ForestOrConfigurationSet `
–Target 'domain.com'

…which looks a bit like this, as I enable the feature and then re-check:

AdRecycleBinEnable

As you can see above, the AD Recycle Bin is now enabled in my lab AD forest.

Note that in the above code example, I’m using “back-ticks” to be able to wrap lines.  However, in my screen cap I put it all on one line.  I’ll go over the back-ticks in a future post, but for now be careful with them, or remove them and include the entire command on one line.

So to recap, when ENABLEDSCOPES isn’t populated (e.g. {} ) it’s off.  If it contains values, then it is enabled!

And remember this: after enabling the AD Recycle Bin, you cannot disable it anymore!

2017-07-27T00:00:58+00:00 March 24th, 2016|Uncategorized|

About the Author:

Jeremy is just a regular guy that likes to occasionally tell the world about stuff.

Fatal error: Uncaught exception 'GuzzleHttp\Exception\ClientException' with message 'Client error: `POST https://dc.services.visualstudio.com/v2/track` resulted in a `400 Invalid instrumentation key` response: {"itemsReceived":1,"itemsAccepted":0,"errors":[{"index":0,"statusCode":400,"message":"Invalid instrumentation key"}]} ' in /home/coretek/public_html/wp-content/plugins/application-insights/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113 Stack trace: #0 /home/coretek/public_html/wp-content/plugins/application-insights/vendor/guzzlehttp/guzzle/src/Middleware.php(66): GuzzleHttp\Exception\RequestException::create(Object(GuzzleHttp\Psr7\Request), Object(GuzzleHttp\Psr7\Response)) #1 /home/coretek/public_html/wp-content/plugins/application-insights/vendor/guzzlehttp/promises/src/Promise.php(203): GuzzleHttp\Middleware::GuzzleHttp\{closure}(Object(GuzzleHttp\Psr7\Response)) #2 /home/coretek/public_html/wp-content/plugins/application-insights/vendor/guzzlehttp/promises/src/Promise.php(156): GuzzleHttp\Promi in /home/coretek/public_html/wp-content/plugins/application-insights/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php on line 113