Appendix A: Additional Active Directory Recycle Bin Tasks
Applies To: Windows Server 2008 R2
In addition to recovering a single deleted Active Directory object, there are several additional tasks that you can perform with Active Directory Recycle Bin in Windows Server 2008 R2:
Modifying the tombstone lifetime and deleted object lifetime
Delegating Active Directory Recycle Bin operations
Manually recycling a deleted Active Directory object
Using the auditing mechanism
Modifying the tombstone lifetime and deleted object lifetime
Depending on your system environment and business practices, you can increase or decrease the deleted object lifetime and the tombstone lifetime. If you want your deleted objects to be recoverable for longer than the default 180 days, you can increase the deleted object lifetime. If you want your recycled objects to be recoverable (through authoritative restore) for longer than the default 180 days, you can also increase the tombstone lifetime.
The tombstone lifetime is determined by the value of the tombstoneLifetime attribute. The deleted object lifetime is determined by the value of the msDS-deletedObjectLifetime attribute. By default, tombstoneLifetime is set to null. When tombstoneLifetime is set to null, the tombstone lifetime defaults to 60 days (hard-coded in the system). By default, msDS-deletedObjectLifetime is also set to null. When msDS-deletedObjectLifetime is set to null, the deleted object lifetime is set to the value of the tombstone lifetime.
Note
If the tombstoneLifetime value is empty, the tombstone lifetime is 60 days. If the value is not empty, the tombstone lifetime is the value specified. If the value is less than 3 days, the tombstone lifetime is 3 days.
You can modify the values of the tombstoneLifetime and msDS-deletedObjectLifetime attributes anytime by using the Set-ADObject cmdlet in the Active Directory module for Windows PowerShell (the recommended method) or by using the Ldp.exe administrative tool.
Membership in Enterprise Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To modify the tombstone lifetime by using the Set-ADObject cmdlet
Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
At the
Active Directory module for Windows PowerShellcommand prompt, type the following command, and then press ENTER:Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<mydomain>,DC=<com>” –Partition “CN=Configuration,DC=<mydomain>,DC=<com>” –Replace:@{“tombstoneLifetime” = <value>}Replace
DC=<mydomain>,DC=<com>with the appropriate forest root domain name of your Active Directory environment, and replace<value>with the new value for the tombstone lifetime.For example, to set tombstoneLifetime to 365 days, run the following command:
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com” –Partition “CN=Configuration,DC=contoso,DC=com” –Replace:@{“tombstoneLifetime” = 365}
For more information about the Set-ADObject cmdlet, at the Active Directory module for Windows PowerShell command prompt, type Get-Help Set-AdObject, and then press ENTER.
To modify the tombstone lifetime by using Ldp.exe
To open Ldp.exe, click Start, click Run, and then type ldp.exe.
To connect and bind to the server that hosts the forest root domain of your Active Directory environment, under Connections, click Connect, and then click Bind.
In the console tree, right-click the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration container, and then click Modify.
In the Modify dialog box, in Edit Entry Attribute, type tombstoneLifetime.
In the Modify dialog box, in Values, type the number of days that you want to set for the tombstone lifetime value. (The minimum is 3 days.)
In the Modify dialog box, under Operation click Replace, click Enter, and then click Run.
To modify the deleted object lifetime by using the Set-ADObject cmdlet
Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
At the
Active Directory module for Windows PowerShellcommand prompt, type the following command, and then press ENTER:Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<mydomain>,DC=<com>” –Partition “CN=Configuration,DC=<mydomain>,DC=<com>” –Replace:@{“msDS-DeletedObjectLifetime” = <value>}Replace
DC=<mydomain>,DC=<com>with the appropriate forest root domain name of your Active Directory environment, and replace<value>with the new value of the deleted object lifetime.For example, to set the deleted object lifetime to 365 days, run the following command:
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com” –Partition “CN=Configuration,DC=contoso,DC=com” –Replace:@{“msDS-DeletedObjectLifetime” = 365}
For more information about the Set-ADObject cmdlet, at the Active Directory module for Windows PowerShell command prompt, type Get-Help Set-AdObject, and then press ENTER.
To modify the deleted object lifetime by using Ldp.exe
To open Ldp.exe, click Start, click Run, and then type ldp.exe.
To connect and bind to the server hosting the forest root domain of your Active Directory environment, under Connections, click Connect, and then click Bind.
In the console tree, right-click the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration container, and then click Modify.
In the Modify dialog box, in Edit Entry Attribute, type msDS-DeletedObjectLifeTime.
In the Modify dialog box, in Values, type the number of days that you want to set for the tombstone lifetime value. (The minimum is 3 days.)
In the Modify dialog box, under Operation click Replace, click Enter, and then click Run.
Delegating Active Directory Recycle Bin operations
In addition to using the Active Directory Recycle Bin themselves, administrators can delegate the following operations to selected users:
Deleting an Active Directory object
Viewing a deleted Active Directory object
Viewing a deleted Active Directory object’s deactivated links
Viewing tombstone Active Directory objects
Recovering a deleted Active Directory object
Manually recycling a deleted Active Directory object
Managing optional Active Directory Recycle Bin features
The following table outlines the access control mechanisms (ACMs) and the default permission levels that are required for each task that an administrator can delegate.
| Task | Access control mechanism | Default permission level | ||
|---|---|---|---|---|
Deleting objects |
Delete ACMs |
Domain Administrators |
||
Viewing deleted objects |
Read ACMs and showDeletedObjects Lightweight Directory Access Protocol (LDAP) control and List Content and Read Property rights on the Deleted Objects container
|
Domain Users |
||
Viewing deactivated links |
Read ACMs and showDeactivatedLinks LDAP control |
Domain Users |
||
Viewing tombstones |
Read ACMs and showTombstoneObjects LDAP control |
Domain Users |
||
Recovering deleted objects |
Write ACMs (on the object) and reanimate-tombstone control access right (CAR) (on the naming context (NC)) |
Domain Administrators |
||
Recycling deleted objects |
Write ACMs (on the object) and reanimate-tombstone CAR (on the NC) |
Domain Administrators |
||
Managing optional features |
Manage-optional-features CAR (on the target object) |
Domain Administrators |
.gif)
NoteFor more information about how to delegate rights in an Active Directory environment, see the following:
Best Practices for Delegating Active Directory Administration (https://go.microsoft.com/fwlink/?LinkID=125454)
Delegating Authority in Active Directory (https://go.microsoft.com/fwlink/?LinkID=125455)
Article 281146 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=125457)
Manually recycling a deleted Active Directory object
All deleted Active Directory objects are recycled automatically when their deleted object lifetimes expire. In addition, administrators can recycle deleted Active Directory objects manually.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To manually recycle a deleted Active Directory object
To open Ldp.exe, click Start, click Run, and then type ldp.exe.
To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.
In the console tree, navigate to the CN=Deleted Objects container.
Right-click the deleted Active Directory object that you want to recycle, and then click Delete.
In the Delete dialog box, make sure that the Extended check box is checked, and then click OK.
To verify that the deleted Active Directory object is now recycled:
In the Controls dialog box, on the Load Predefined menu, click Return recycled objects, and then click OK.
In the console tree, navigate to the CN=Deleted Objects container, and then double-click the deleted Active Directory object that you recycled.
In the details pane, verify that the isRecycled attribute on this object is set to TRUE.
Using the auditing mechanism
In Windows Server 2008 R2, as in Windows Server 2008, you can use the Active Directory Domain Services (AD DS) auditing mechanism with the Directory Service Changes audit policy to log old and new values when changes are made to Active Directory objects and their attributes. We recommend that you implement auditing in your Active Directory environment to track all object deletions, object deletion times, and the account names that perform these object deletions. For more information, see the AD DS Auditing Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=125458).