Windows Server

How to fix insufficient access right to perform this operation when trying to enable Active Directory Recycle Bin

The method involves enabling the AD Recycle Bin in order to be able to restore deleted user object with the ADAC. Active Directory Recycle Bin can be activated only where all domain controllers are running Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and on Windows Server 2019.

Note: In Windows Server 2008, you could use the Windows Server Backup feature and ntdsutil authoritative restore command to mark objects as authoritative to ensure that the restored data was replicated throughout the domain. The drawback to the authoritative restore solution was that it had to be performed in Directory Services Restore Mode (DSRM). During DSRM, the domain controller being restored had to remain offline. Therefore, it was not able to service client requests.

If sufficient access rights are not assigned to the user account trying to perform this operation, the following error will be prompted via the Active Directory Administration Centre or via PowerShell. See the guide below on how to Enable AD recycle Bin and restore deleted users.

To fix this issue, you will have to add the user account as a member to the following security groups in Active Directory.
- Domain Admin
- Schema Admin
- Enterprise Admin

See the image below for more information.

Restart your device for the new policy to apply. Now you can attempt to enable the AD Recycle Bin and it will be successful.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session. I welcome you to follow me on Twitter and Facebook.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x