Managing Active Directory Recycle Bin Lifetime in Windows Server 2022

Posted on 16th June 2023

Introduction

The Active Directory Recycle Bin provides administrators with a safety net when accidental deletions occur within Active Directory (AD). It allows administrators to restore accidentally deleted objects without the need for a domain restore. The Recycle Bin feature must be enabled in each domain prior to accidental deletion in order for it to be available as a recovery option. If not enabled, the only way to recover an accidentally deleted object is to perform a domain restore, which can be a complex and time-consuming process.

Enabling the Active Directory Recycle Bin

The Active Directory Recycle Bin can be enabled using the Enable-ADOptionalFeature cmdlet. This cmdlet is available in Windows Server 2012 and later. To enable the Recycle Bin, you must be a member of the Domain Admins group or have equivalent privileges.

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope Domain -Target 'contoso.com'

Managing the Active Directory Recycle Bin Lifetime

The default lifetime for objects in the Recycle Bin is 30 days. This means that after an object is deleted and moved to the Recycle Bin, it will remain there for 30 days before it is permanently deleted and cannot be recovered. The Recycle Bin lifetime can be managed using the Set-ADObject cmdlet.

Set-ADObject -Identity 'CN=Recycle Bin,CN=Configuration,DC=contoso,DC=com' -RecycleBinLifetime 90.00:00:00

This cmdlet sets the Recycle Bin lifetime to 90 days. To set the Recycle Bin lifetime to an infinite period, use the value 1.00:00:00:00.

Conclusion

The Active Directory Recycle Bin is a valuable tool for administrators that can help recover accidentally deleted objects without the need for a domain restore. The Recycle Bin can be enabled using the Enable-ADOptionalFeature cmdlet and the lifetime for objects in the Recycle Bin can be managed using the Set-ADObject cmdlet.

When you delete an object from Active Directory, it’s not actually gone forever. Instead, it’s moved into a sort of holding area called the Recycle Bin. The Recycle Bin is a feature that was introduced in Windows Server 2008 R2 and acts as a safety net in case you accidentally delete something important.

The Recycle Bin doesn’t last forever, though. By default, objects are only kept in the Recycle Bin for 30 days. After that, they’re permanently deleted and can’t be recovered.

In some cases, you may need to change the Recycle Bin lifetime. For example, you may want to keep objects in the Recycle Bin for a longer period of time in case you need to recover them. Or, you may want to shorten the Recycle Bin lifetime to save disk space.

In Windows Server 2022, you can change the Recycle Bin lifetime by using the Set-ADObject cmdlet. The cmdlet has a -RecycleBinLifetime parameter that you can use to specify the number of days that an object should stay in the Recycle Bin.

For example, to keep objects in the Recycle Bin for 60 days, you would use the following command:

Set-ADObject -RecycleBinLifetime 60

You can also use the -RecycleBinLifetime parameter to specify that objects should be permanently deleted when they’re removed from Active Directory. To do this, you would use a value of 0 for the -RecycleBinLifetime parameter.

For example, to permanently delete objects when they’re removed from Active Directory, you would use the following command:

Set-ADObject -RecycleBinLifetime 0

You can view the current Recycle Bin lifetime by using the Get-ADObject cmdlet. The cmdlet has a -IncludeRecycleBin parameter that you can use to include the Recycle Bin lifetime in the output.

For example, to view the current Recycle Bin lifetime, you would use the following command:

Get-ADObject -IncludeRecycleBin

The output of the command will include the RecycleBinLifetime attribute. The attribute will be set to 0 if objects are permanently deleted when they’re removed from Active Directory or to the number of days that objects are kept in the Recycle Bin.

In some cases, you may need to change the Recycle Bin lifetime for multiple objects at the same time. For example, you may need to change the Recycle Bin lifetime for all objects in a particular OU.

To do this, you can use the Get-ADObject cmdlet to get a list of all objects in the OU and then pipe the output to the Set-ADObject cmdlet.

For example, to change the Recycle Bin lifetime for all objects in the OU, you would use the following command:

Get-ADObject -SearchBase “OU=MyOU,DC=contoso,DC=com” | Set-ADObject -RecycleBinLifetime 60

You can also use the Set-ADObject cmdlet to change the Recycle Bin lifetime for all objects in Active Directory. To do this, you would use the -Filter parameter with a value of (*).

For example, to change the Recycle Bin lifetime for all objects in Active Directory, you would use the following command:

Set-ADObject -Filter * -RecycleBinLifetime 60

Once you’ve changed the Recycle Bin lifetime, you may also need to change the amount of time that objects are kept in the Recycle Bin before they’re permanently deleted. This is known as the Recycle Bin retention period.

The Recycle Bin retention period is the amount of time that an object is kept in the Recycle Bin before it’s permanently deleted. By default, the Recycle Bin retention period is 7 days. This means that an object will be permanently deleted 7 days after it’s moved into the Recycle Bin.

You can change the Recycle Bin retention period by using the Set-ADObject cmdlet. The cmdlet has a -RecycleBinRetentionPeriod parameter that you can use to specify the number of days that an object should stay in the Recycle Bin before it’s permanently deleted.

For example, to keep objects in the Recycle Bin for 60 days before they’re permanently deleted, you would use the following command:

Set-ADObject -RecycleBinRetentionPeriod 60

You can view the current Recycle Bin retention period by using the Get-ADObject cmdlet. The cmdlet has a -IncludeRecycleBin parameter that you can use to include the Recycle Bin retention period in the output.

For example, to view the current Recycle Bin retention period, you would use the following command:

Get-ADObject -IncludeRecycleBin

The output of the command will include the RecycleBinRetentionPeriod attribute. The attribute will be set to the number of days that objects are kept in the Recycle Bin before they’re permanently deleted.

In some cases, you may need to change the Recycle Bin retention period for multiple objects at the same time. For example, you may need to change the Recycle Bin retention period for all objects in a particular OU.

To do this, you can use the Get-ADObject cmdlet to get a list of all objects in the OU and then pipe the output to the Set-ADObject cmdlet.

For example, to change the Recycle Bin retention period for all objects in the OU, you would use the following command:

Get-ADObject -SearchBase “OU=MyOU,DC=contoso,DC=com” | Set-ADObject -RecycleBinRetentionPeriod 60

You can also use the Set-ADObject cmdlet to change the Recycle Bin retention period for all objects in Active Directory. To do this, you would use the -Filter parameter with a value of (*).

For example, to change the Recycle Bin retention period for all objects in Active Directory, you would use the following command:

Set-ADObject -Filter * -RecycleBinRetentionPeriod 60

Previous Post - Managing Active Directory Domain Controllers in Server 2022

Next Post - Smart Home Voice Control: Voice-Activated Smart Home Automation