With the Active Directory Recycle Bin enabled, deleted Active Directory objects can be easily recovered. The deleted items can be recovered for as long as the Active Directory tombstone lifetime. Based on default configuration this should be 180 days.
I recently received a request from a customer to know how they can permanently delete user accounts from the Active Directory Recycle Bin, instead of waiting the 180 days before the object gets removed automatically.
This was the first time I received a request such as this and I’ve never had the need to attempt this myself, so I had to go into my lab and test this to provide a solution to the customer, if it existed.
Active Directory Administrative Center
With the release of Windows Server 2012, the Active Directory Administrative Center introduced a Graphical User Interface (GUI) to easily manage the Active Directory Recycle Bin. The GUI however allows you to restore the objects, but the option to delete the object is not available (it is greyed out).
It is understandable as it prevents anyone from accidentally deleting something out of the recycle bin, and thus making the object unrecoverable again.
Windows PowerShell
With the GUI not being useful for this task, it meant going back to PowerShell which was required with Windows Server 2008 R2 when the Active Directory Recycle Bin was first introduced. The Active Directory PowerShell module is required.
In PowerShell I ran the following command to find the target object and display the sAMAccountName and LastKnownParent. I use these attributes to ensure I have the correct object, and don’t delete the wrong objects by mistake:
Get-ADObject -Filter {isDeleted -eq $True -and Name -like "*recycle*"} -IncludeDeletedObjects -Properties * | FL name,samaccountname,lastknownparentThis is the result of mu query in PowerShell :
The next command will delete the object from the recycle bin. I specify the SamAccountName which I have confirmed by running the initial query to find the object:
Get-ADObject -Filter {isDeleted -eq $True -and samaccountname -eq "recycletest"} -IncludeDeletedObjects | Remove-ADObjectOnce I hit enter, I will be required to confirm that I want to continue with the action. I enter Y to confirm. I don’t see any confirmation on the screen to confirm that the deletion was successful. I’m also not receiving any error messages which is a good sign:
I will now need to confirm that the action was completed successfully. I use the first query to find the object and receive no results in return:
Going back to Active Directory Administrative Center also confirms that the object is no longer available in the Active Directory Recycle Bin:
Summary
I’ve never had a requirement to delete objects from the Active Directory Recycle Bin. It is not something I would have ever expected to be a requirement. I had to test this in my lab to assist a customer, now I know that it is possible to remove items from the Active Directory Recycle bin by using a few basic commands in Windows PowerShell.