When an object is deleted from Active Directory, it is not immediately erased, but is only marked for deletion. Deleted objects can be recovered from Active Directory within a specific retention period, which is 180 days by default.
In this tutorial, you will learn how to use Adaxes Web Interface and Administration Console to restore objects deleted from Active Directory, enable the Active Directory Recycle Bin feature on your domains, and how to delegate permissions to users to restore deleted objects.
Although Adaxes allows restoring deleted objects without Recycle Bin enabled, it is strongly recommended to enable the feature, as it allows restoring objects with all their properties preserved, while without Recycle Bin objects are restored only partially.
The process of enabling Recycle Bin is irreversible. Once enabled, it cannot be disabled.
To enable Active Directory Recycle Bin, the functional level of your Active Directory forest must be Windows Server 2008 R2 or higher. It means that all domain controllers within the forest must be running at least Windows Server 2008 R2.
To find all AD domains with Recycle Bin disabled, you can use the Domains with Recycle Bin disabled report:
Type Recycle Bin in the Type report name edit box located to the right.
To enable Recycle Bin for a domain:
Point to All Tasks, and click Enable Recycle Bin.
The permissions to restore deleted Active Directory objects, like any other permissions in Adaxes, are granted with the help of Security Roles. You can allow users to restore all types of Active Directory objects, or just specific object types, like users, groups or computers.
To allow restoring deleted objects, a Security Role must contain the Restore Deleted Objects permission.
Select the Security Role you want to modify.
In the Permissions section located to the right, click Add.
In the Operations on child objects list, check the Restore Deleted Objects permission in the Allow column.
To allow restoring only specific types of Active Directory objects, click Select object types and select the object types you need.
Click OK and then click Save changes.
For the Restore Deleted Objects permission to take effect, a Security Role must be assigned over containers, Organizational Units and domains. The permission will not apply when a Security Role is assigned over members of groups and Business Units, because deleted objects are not members of any group or Business Unit.
Apart from restoring deleted Active Directory objects, it is also possible to restore Adaxes configuration objects, such as Security Roles, Property Patterns, Business Units, and Scheduled Tasks. To delegate the permission to restore Adaxes configuration objects, a Security Role must be assigned over the Configuration Objects scope.
You can use Adaxes log records to restore deleted objects. To get access to the logs, you can either use the Logging view in Adaxes Administration Console, or reports based on log records.
To restore deleted objects using the Logging view:
Select Delete in the Filter Operation drop-down list located to the right.
Right-click a record for a delete operation and click Restore in the context menu.
Adaxes provides a number of reports on deleted Active Directory objects, such as Recently deleted users or Recently deleted OUs. You can use the reports to restore deleted objects.
To restore objects using reports in Adaxes Web Interface:
Click the Reports drop-down located in the header and type Recently deleted in the edit box.
Select the object you want to restore and click Restore.
If necessary, you can disable the Restore Deleted Object operation in a Web Interface. For details, see Disable Operations on AD Objects.
When a user accidentally deletes an Active Directory object using Adaxes, they can use the Undo Delete option to instantly recover it.
The Undo operation is only available if the user has the permission to restore the deleted object and if the Recycle Bin feature is enabled for the object's domain.
For information on how to protect Active Directory objects from accidental deletion, see Protect objects from deletion.