What is the Directory and Resource Administrator Recycle Bin? (NETIQKB216)

GENERAL QUESTIONS AND ANSWERS

Which objects does the Recycle Bin support?
The Recycle Bin includes AD user, group, contact and computer objects.

Is there a limit to the number of objects that can be sent/stored in the Recycle Bin?
No, there is no limit to the number of objects the Recycle Bin can contain.

Does use of the Recycle Bin require AD schema extensions?
No, DRA implements the Recycle Bin using standard AD classes and attributes.

Does use of the Recycle Bin require an external database?
No, DRA stores all data required for the Recycle Bin in AD.

How can I enable the Recycle Bin for a domain?
The Recycle Bin is enabled by default for all domains managed by DRA.

How can I disable the Recycle Bin for a domain?

1. Launch the Delegation and Configuration Management console
2. Select the domain under Configuration Management|Managed domains
3. Right-click the domain and select Properties
4. Select the Recycle Bin tab
5. Uncheck the Enable the recycle bin for this domain option
6. Click OK

How can I re-enable the Recycle Bin for a domain?

1. Launch the Delegation and Configuration Management console
2. Select the domain under Configuration Management|Managed domains
3. Right-click the domain and select Properties
4. Select the Recycle Bin tab
5. Check the Enable the recycle bin for this domain option
6. Click OK

How does an Assistant Admin send an AD object to the Recycle Bin?
When the Recycle Bin is enabled for a domain, an Assistant Admin (AA) sends an AD object to the Recycle Bin by simply deleting it.

Is a separate power required to delete AD objects from the Recycle Bin?
Yes. For added security, the power to send AD objects to the Recycle Bin is different than the power to delete AD objects that are in the Recycle Bin. This "dual key" feature means you can configure the Administration server so that it requires two Assistant Admins to permanently delete any AD object.

Which DRA clients provide the Recycle Bin functionality?
The Recycle Bin feature is handled completely by the Administration server. Therefore, it doesn't matter which DRA client an Assistant Admin uses.

Is the Recycle Bin emptied on a scheduled basis?
Starting with DRA 8.5 and latter, the recycle bin can be emptied on a scheduled basis.  For more information, please refer to Knowledge Base article 7706121

Can AD objects be modified while they are in the Recycle Bin?
No, AD objects in the Recycle Bin must be restored before they can be edited.

What level of security is on the Recycle Bin OU?
The ACL for the hidden OU (NetIQRecycleBin) used for the Recycle Bin is set so that only members of Administrator level groups have access. No other security principals even have read access. Therefore, only Administrator level personnel have access to this OU outside of DRA.

Can I use the Recycle Bin on both Primary and Secondary servers when using Multi-Master?
Yes, the Recycle Bin stores its data in AD. Recycle Bin tasks are available on any DRA server.

What happens if someone deletes an AD object from the Recycle Bin OU via native tools?
The AD object is permanently deleted and cannot be restored. After the next DRA domain cache refresh, the AD object will no longer appear in the Recycle Bin.

What happens when an AD object is deleted from the Recycle Bin?
When an AD object is deleted from the Recycle Bin, it is completely deleted from AD. The AD object cannot be restored at this point. If the object was a user account, any home directory/share deletion policies or Exchange mailbox deletion policies (if enabled) will be executed.

What happens if I turn off the Recycle Bin when it contains AD objects?
Nothing happens to AD objects already in the Recycle Bin. You can even restore those AD objects if you wish. With respect to new requests to delete AD objects, those objects will be permanently deleted instead of being moved to the Recycle Bin.

If I disable the Recycle Bin, do I need to grant Assistant Admins power to delete the specific AD objects?
No. When the Recycle Bin is disabled, an Assistant Admin who had the ability to send AD objects to the Recycle Bin will have the power to perform a "normal" deletion of these AD objects. This means that an AD object deleted by an Assistant Admin is permanently deleted and cannot be restored.

What happens to the Recycle Bin and it's contents in Active Directory if I stop managing the domain or if DRA is uninstalled?
If DRA is uninstalled or the domain is removed from being managed, the Recycle Bin OU and all it's contents remain.  DRA does not purge the contents or delete the Recycle Bin OU.

Providing the domain is being managed and DRA is currently installed, can I still restore objects in the Recycle Bin if the domain was once removed for being managed or if DRA was uninstalled/reinstalled?
Yes.  You can restore objects in the Recycle Bin even if, at any time, the domain was no longer being managed or DRA was uninstalled.  Be sure to re-enable the Recycle Bin once the domain is being managed again.

What about unavailable domains during a restore?
If one of the AD object's groups it is a member of is a domain that is unavailable at the time of the restoration, the AD object will be restored, but the group memberships in the unavailable domains will not be restored.
. A warning message will be returned to the Assistant Admin.

AD USER ACCOUNT-SPECIFIC QUESTIONS AND ANSWERS

What happens when a User account is sent to the Recycle Bin?

1. The user account is moved to a hidden OU (NetIQRecycleBin).
2. The user account is disabled.
3. A corresponding dummy group is created in the hidden OU to store data about the user account's original OU and its group memberships.
4. The user account is removed from all groups, including Assistant Admin groups. It is not removed from Domain Users however.

What happens when a user account is restored from the Recycle Bin?

1. The user account is restored/moved to its original OU.
2. If the original OU no longer exists, the Assistant Admin is prompted for an OU name.
3. Group memberships are restored.
4. The dummy group used to store data about the user account's original OU and its group memberships is deleted.
5. The user account is enabled.

Do I need to reset a restored user account password?
No, DRA does not modify the password of a user account sent to the Recycle Bin.

When a user account goes into the Recycle Bin, is its home share and directory deleted?
No, if the DRA home directory/share policies are enabled, they are executed only when the user account is deleted from the Recycle Bin.

When a user account goes into the Recycle Bin, is its Exchange mailbox deleted?
No, if the ExA Exchange mailbox policies are enabled, they are executed only when the user account is deleted from the Recycle Bin.

When a user account is in the Recycle Bin, can its Exchange mailbox continue to receive email?
Yes, the Recycle Bin process does not modify the Exchange mailbox in any way.

When a user account is in the Recycle Bin, will its Exchange mailbox continue to appear in the global address list (GAL)?
No, the user account will no longer appear in the GAL.

Since the user account is disabled, why are user accounts in the Recycle Bin removed from groups?
Primarily because it would be confusing to view a group's membership and see a user account that you thought had been deleted.

AD GROUP-SPECIFIC QUESTIONS AND ANSWERS

What happens when a Group is sent to the Recycle Bin?

1. The Group is moved to a hidden OU (NetIQRecycleBin).
2. A corresponding dummy group is created in the hidden OU to store data about the Group's original OU and its group memberships.
3. The Group is removed from all other group memberships, including Assistant Admin groups.
4. Members of the Group itself are removed.

What happens when a Group is restored from the Recycle Bin?

1. The Group is restored/moved to its original OU.
2. If the original OU no longer exists, the Assistant Admin is prompted for an OU name.
3. Group memberships are restored.
4. Members of the Group itself are restored.
5. The dummy group used to store data about the Group's original OU and its group memberships is deleted.

When a mail-enabled Group is in the Recycle Bin, will it continue to appear in the global address list (GAL)?
No. the Group will no longer appear in the GAL.

AD CONTACT-SPECIFIC QUESTIONS AND ANSWERS

What happens when a Contact is sent to the Recycle Bin?

1. The Contact is moved to a hidden OU (NetIQRecycleBin).
2. A corresponding dummy group is created in the hidden OU to store data about the Contact's original OU and its group memberships.
3. The Contact is remo.
   ved from all group memberships.

What happens when a Contact is restored from the Recycle Bin?

1. The Contact is restored/moved to its original OU.
2. If the original OU no longer exists, the Assistant Admin is prompted for an OU name.
3. Group memberships are restored.
4. The dummy group used to store data about the Contact's original OU and its group memberships is deleted.

When a mail-enabled Contact is in the Recycle Bin, will it continue to appear in the global address list (GAL)?
No. the Contact will no longer appear in the GAL.

AD COMPUTER ACCOUNT-SPECIFIC QUESTIONS AND ANSWERS

What happens when a Computer is sent to the Recycle Bin?

1. The Computer account is moved to a hidden OU (NetIQRecycleBin).
2. The Computer account is disabled.
3. A corresponding dummy group is created in the hidden OU to store data about the Computer account's original OU and its group memberships.
4. The Computer account is removed from all group memberships.

What happens when a Computer is restored from the Recycle Bin?

1. The Computer account is restored/moved to its original OU.
2. If the original OU no longer exists, the Assistant Admin is prompted for an OU name.
3. Group memberships are restored.
4. The dummy group used to store data about the Computer account's original OU and its group memberships is deleted.
5. The Computer account is enabled.

Do I need to re-join a Computer to the Domain once it has been restored from the Recycle Bin?
No.  The Computer will not need to be re-joined to the Domain.

.