Leveraging Active Directory Recycle Bin: Best practices for AD protection – Part 4

This post is part four of a series where I discuss granular recovery of Active Directory objects and different scenarios and tools for such operations.

In the previous article, I described the cases where administrators worked with Domain Controllers running Active Directory off a functional level of Windows Server 2003 and Windows Server 2008. I detailed the steps they had to do in order to reanimate the tombstone objects using LDP and Veeam Explorer for Microsoft Active Directory utilities.

Today, I’m moving on to newer systems with the Active Directory recycle bin feature enabled.

With Windows Server 2008 R2, Microsoft implemented a long-awaited Active Directory recycle bin. This extended the standard life cycle of an Active Directory object and changed the logic of object deletion. With this feature enabled, the object started going to the deleted objects container right after deletion, where it stays for the lifetime of the deleted object (equal to recycled object lifetime by default). Most important, the system is able to preserve all of the object’s link-valued and non-link-valued attributes for the same lifetime period. This means you can easily restore an object with those attributes during this period.

Once the lifetime is over, the system changes the object status to recycled and drops most of its attributes. Additionally, the object becomes logically equal to what used to be tombstone in Windows Server 2003 and Windows Server 2008. The only difference is that you can’t restore or reanimate the recycled object now. A garbage collector removes it automatically after a recycled object lifetime expires (180 days by default).

Enabling Active Directory recycle bin

Read the entire article here, Leveraging Active Directory Recycle Bin: Best practices for AD protection (Part 4)

via the fine folks at Veeam Software