Permanently Delete Objects from the Active Directory Recycle Bin

Overview

When the Active Directory Recycle Bin is enabled, deleted AD objects are retained for the duration of the tombstone lifetime – 180 days by default – before being automatically removed. In most cases this is exactly what you want: it gives you a safety net to recover accidentally deleted users, groups, or computers. However, there are scenarios where you need to immediately and permanently remove an object from the Recycle Bin before that 180-day window expires – for example, when a customer requires an account to be unrecoverable for compliance or data protection reasons.

This guide covers why the Active Directory Administrative Center GUI cannot permanently delete objects from the Recycle Bin, and how to accomplish it correctly using Windows PowerShell.

Prerequisites

Active Directory Recycle Bin enabled on the domain
Windows Server 2012 or later (for ADAC) – PowerShell method also works on Windows Server 2008 R2
Domain Admin permissions
Active Directory PowerShell module installed (RSAT-AD-PowerShell)

Part 1 – Why the GUI Cannot Permanently Delete

The Active Directory Administrative Center (ADAC) provides a graphical interface for managing the AD Recycle Bin, introduced with Windows Server 2012. While it lets you browse the Deleted Objects container and restore items, the Delete option is greyed out when an object in the Recycle Bin is selected. The GUI supports restoring objects – it does not support permanently removing them before the tombstone lifetime expires.

Active Directory Administrative Center showing the Deleted Objects container with a user object selected - the Tasks panel shows Restore and Properties but the Delete option is greyed out and unavailable — ADAC shows the deleted object in the Recycle Bin but offers no way to permanently delete it – Delete is greyed out in the Tasks panel

To permanently remove an object from the AD Recycle Bin, Windows PowerShell is required. This applies to both modern environments using ADAC and older Windows Server 2008 R2 environments where ADAC was first introduced alongside the AD Recycle Bin feature.

Part 2 – Permanently Delete via PowerShell

Step 1 – Find the Deleted Object

Open an elevated PowerShell session and import the Active Directory module if it is not already loaded. Use Get-ADObject with the -IncludeDeletedObjects flag to search the Recycle Bin. The -Filter searches for objects where isDeleted is true and the name matches your target. Pipe the result to Format-List to display the key identifying attributes:

Get-ADObject -Filter {isDeleted -eq True -and Name -like "*recycle*"} 
    -IncludeDeletedObjects -Properties * | 
    Format-List name, samaccountname, lastknownparent

Review the output carefully – confirm the sAMAccountName and lastKnownParent match the object you intend to delete. The lastknownparent attribute shows which OU the object originally lived in, which helps confirm you have the right object before proceeding.

Step 2 – Permanently Delete the Object

Once you have confirmed the correct sAMAccountName, run the deletion command. Use the specific samaccountname in the filter rather than the name, as the name may be modified by the Recycle Bin mechanism:

Get-ADObject -Filter {isDeleted -eq True -and samaccountname -eq "recycletest1"} 
    -IncludeDeletedObjects | Remove-ADObject

PowerShell will display a confirmation prompt. Type Y and press Enter to confirm. If no error messages appear, the deletion was successful.

PowerShell terminal showing the Remove-ADObject command with the Confirm prompt, user entering Y to confirm - followed by a re-run of Get-ADObject returning no results, and ADAC Deleted Objects container confirming the object is no longer listed — Confirming the deletion with Y – a subsequent Get-ADObject query returns no results, confirming the object has been permanently removed

Step 3 – Verify the Deletion

Run the original Get-ADObject query again. If the object was successfully deleted, the command returns no output – the object no longer exists anywhere in Active Directory. You can also verify in ADAC by refreshing the Deleted Objects container – the object should no longer appear in the list.

Important Considerations

This Action is Irreversible

Permanently deleting an object from the AD Recycle Bin cannot be undone. Unlike a standard deletion (which goes to the Recycle Bin), this bypasses the recovery window entirely. Always verify the sAMAccountName and lastKnownParent before running Remove-ADObject, and consider documenting the action with a ticket number or change record.

Use Specific Filters

Filter on samaccountname rather than Name for the deletion command. The Recycle Bin renames deleted objects by appending a GUID to the CN to prevent name collisions, so the Name attribute in the Recycle Bin may not match the original account name. The sAMAccountName is preserved unchanged and is the safest identifier to target.

Confirm Before Deleting

PowerShell’s confirmation prompt is a safety gate – do not suppress it with -Confirm:False unless you are running an audited script in a controlled automation context. In interactive sessions, always read the prompt and verify the object name displayed matches your intended target before typing Y.

Tags: #Active Directory #AD Recycle Bin #PowerShell #Windows Server