What are the implications of enabling the Recycle Bin feature in Active Directory?

An admin accidentally deleted the wrong OU and it removed several account and computer objects. The recycle bin optional feature was not enabled. We used adrestore from sysinternals to get the accounts back.

To ensure this process is easier the next time we wanted to enable the Recycle Bin optional feature which is easily done as per guides and TechNet using Enable-ADOptionalFeature via PowerShell.

In both PowerShell and the above link the following is mentioned.

In this release of Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, it cannot be disabled.

In theory I would always want to leave it enabled but I have hesitated until I understand the implication of what is about to happen. I have a single domain forest if it matters.

What is the implication of enabled this feature? This must relate to why it is not enabled by default.


The main implication of enabling this feature is that it will increase the size of your DIT. (Your database.) It tends to increase the size because objects that have been deleted hang around longer than they would without the AD Recycle Bin enabled.


I think the only reason it's not enabled by default is because in order to use it the AD Forest function level needs to be raised (minimum 2008 R2) and it's this particular piece of administration that requires all of the preparation - that is, if the domain was created on NT or 2003 for example, then you won;t be able to enable it until the forest function level is at 2008

So it's not enabled out of the box for that reason - the same for 2012, it's not enable out of the box because you installing a domain controller not setting up a forest, there is also this to consider:

When you enable Active Directory Recycle Bin, all of the objects that were deleted before Active Directory Recycle Bin was enabled become recycled objects and are no longer visible in the Deleted Objects container. You will not be able to recover them with Active Directory Recycle Bin. The only way you can restore these objects is by using an authoritative restore from a backup of AD DS that was performed before Active Directory Recycle Bin was enabled.

You can enable recycle bin with PowerShell

Enable-ADOptionalFeature "Recycle Bin Feature" -server `
((Get-ADForest -Current LocalComputer).DomainNamingMaster) `
-Scope ForestOrConfigurationSet `
-Target (Get-ADForest -Current LocalComputer)