Why the Microsoft Active Directory Recycle Bin Feature Falls Short?

The need for an Active Directory object restoration tool has become of growing concern for IT professionals across the world and it is no coincidence, as a result, that the recently released Windows Server 2008 R2 includes a feature that Microsoft hoped would appease technological and infrastructural administrators everywhere—unfortunately for Microsoft, however, it did not.

According to Bridget Botelho of SearchWindowsServer.com, “IT pros excited about the recycle bin feature for Active Directory should prepare for disappointment.” What Microsoft delivered, according to Botelho, “is a watered-down version of existing third-party back up tools.” Essentially, the Microsoft Active Directory recovery mechanism works similar to the Windows recycle bin—if, for any reason, an Active Directory object is deleted, all of its attributes are preserved and the object is placed in a new state called a logically deleted object. The deleted object is then moved to the Deleted Objects container, where it stays for recovery by administrators, until the end of the deleted object’s lifetime. At the end of the deleted object’s lifetime, it essentially sits on the system and continues to take up valuable space.

Unfortunately, however, getting the Active Directory Recycle Bin is not as easy as it sounds. For starters, the feature will not work unless all domain controllers have been upgraded to Windows Server 2008 R2. In other words, getting the native feature may wind up costing what an expensive third-part tool might cost anyway. Furthermore, once the feature is turned on, it cannot be turned off, creating compromising situations in instances, businesses and governments where security and compliance regulations do not permit retention of personally identifiable information. The feature, nonetheless, cannot be turned off, so organizations need be aware of all pertinent policies before turning it on.
In addition to the above shortcomings, there are hoards of other feature problems that keep the Active Directory Recycle Bin from appeasing IT professionals the way Microsoft hoped it would. For starters is the fact that the feature is not at all intuitive—the deleted object container isn’t even displayed within the familiar recycle bin icon without substantial scripting work, a task that many administrators wouldn’t even know how to undertake. This makes simply finding the deleted objects an arduous task in itself.
Furthermore, not all states can be restored. The feature doesn’t offer the rollback capabilities that third-party tools do. While deleted objects can be restored in case of accidental or mistaken removal, previous modifications cannot be restored. It other words, administrators trying to salvage Active Directory by reverting unwanted modifications will not be able to roll back because previous values of AD attributes were already overwritten.

Lastly, the Recycle Bin only works on objects that reside in Active Directory. The feature does not work for example, for Group Policy objects that reside on a disk.

That is where the tools such as the Netwrix Active Directory Object Restore Wizard do things that native tools cannot. Through an easy-to-use interface, administrators can quickly restore all Active Directory deletions and modifications, allowing for granular restoration that enables administrators to select precisely what objects or individual attribute values they want to restore.

Netwrix Active Directory Object Restore Wizard still offers the convenience, efficiency and capabilities that native tools cannot. In what ways has an object restore solution helped you, and if applicable, how did the Netwrix Restore Wizard get the job done? Can you name in instance when the Netwrix Active Directory Object Restore Wizard or other 3rd party recovery tools would have been beneficial to you?

You may also like:


Stephen is a former Product Manager at Netwrix.