By chatting and providing personal info, you understand and agree to our Terms of Service and Privacy Policy.
Corporate Site
Overview
How it works
For Home
Step-by-Step Guides
Get Tech Support
|
1-808-210-2095

How to Restore Deleted Objects in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Restore Deleted Objects in Active Directory

 

2. How to Enable Active Directory Recycle Bin

Active Directory Recycle Bin can be activated only where all domain controllers are running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2. Note: Enabling Active Directory Recycle Bin is irreversible.

Execute the following command to enable Active Directory Recycle Bin:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=www,DC=domain,
DC=com’ –Scope ForestOrConfigurationSet –Target ‘www.domain.com’

If you are using Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, you can use the Active Directory Administrative Center to enable the Recycle Bin.

3. What happens to a Deleted Active Directory Object?

The following table compares the cycle of a deleted object before and after enabling “Active Directory Recycle Bin”:

BEFOREAFTERThe deleted object enters a “tombstone” stateThe deleted object enters a “logically deleted” state.Attribute “IsDeleted” is changed to the TRUE value.Attribute “IsDeleted” is changed to the TRUE value.Value of “WhenDeleted” is changed to “Time Changed”.A unique value is assigned to the Windows security descriptor.RDN is changed to an impossible value.The object is moved to the “Deleted Objects” container (CN=Deleted Objects).The object is moved to the “Deleted Objects” container (CN=Deleted Objects).The object is in the “tombstone” state for 180 days for Windows Server 2003 SP1/ 2008 and 60 days for Windows Server 2000/2003.The object remains in the “logically deleted” state for a period of 60 to 180 days in Windows Server 2008 R2.In tombstone states, most of the link-valued and non-linked value attributes are stripped off.As soon as an object enters a “logically deleted” state, all the object’s link-valued and non-linked value attributes are preserved by the system. The following attributes are not stripped off: Object- GUID, Object-SID, Object-Dist-Name, USNA process called “Garbage collector” removes the object from the database after the tombstone state expires.The object moves to the “Recycle” state. It remains here for another 60 to 180 days.The object is completely erased.Most of the attributes are erased.The object cannot be recovered.After the expiry of the recycled state, the garbage collection process starts, and it removes the object from the database.The object cannot be recovered.Here the administrator has to use an authoritative restoration to restore the deleted objects.The administrator can use PowerShell commands, LDP.exe, and AD administrative Center to restore deleted objects.

The tombstone lifetime is between 60 days for Windows Server 2000/2003 and 180 days for Windows Server 2003 SP1/ 2008 (in later versions this can be modified using the ADSIEdit tool).

Connect to the “Configuration” partition, navigate to “CN=Configuration,DC=www,DC=domain,DC=com” and expand it.

Right-click “CN=Directory Service” and access its properties. You can edit the “tombstoneLifetime” attribute in the “Properties” dialog box and change its value accordingly.

4. Native Methods to Restore Deleted Active Directory Objects

Reanimating deleted objects in Active Directory can be done using several methods. The following are some of the most commonly used native methods for restoring deleted objects in the Active Directory.

Test Case – In this scenario, a user (“testuser3”) has been deleted from the Active Directory. You can use the following methods to restore a deleted object:

  • Method 1 – Using PowerShell commands
  • Method 2 – Using LDP utility
  • Method 3 – Using Active Directory Administrative Center

 

Method 1 – Using PowerShell commands

Perform the following steps:

  • Step 1 – Execute the following command in the Active Directory Module for Windows PowerShell and press “Enter”. Run this command to show you the object that has been deleted:Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" – IncludeDeletedObjects
  • Step 2 – Copy the displayed value of “Distinguished Name” (you get the name of the deleted user/users from this list):DistinguishedName:CN=testuser3\0ADEL:64f1e4dc-7722-4839-9fec90347ad708cb,CN=Deleted Objects,DC=www,DC=domain,DC=com
  • Step 3 – Execute the command given below in Windows PowerShell to restore the deleted object:Get-ADObject -Filter {displayName -eq "testuser3"} IncludeDeletedObjects | Restore-ADObject
  • The object gets restored to its previous location in the Active Directory after it is retrieved from the “Deleted objects container”

Method 2 – Using LDP utility

Perform the following steps:

  • Step 1 – In the Start menu or “Command Prompt”, type “ldp.exe” and press the “Enter” key to start the ldp.exe utility.
  • Step 2 – Select “Connect” from the “Connection menu” to show the “Connect” dialog box. Enter the domain name and default port number as 389.
  • Step 3 – Click “OK” to establish the connection.
  • Step 4 – Click “Bind” in the “Connection” menu to access the “Bind” dialog box. Select “Bind as currently logged on user” and click “OK”.
  • Step 5 – Click “Controls” from the “Options” menu to access the following dialog box.
  • Step 6 – Click “Return Deleted objects” from the “Load Predefined” drop-down list to access deleted objects.
  • Step 7 – Click “OK.”
  • Step 8 – Click “Tree” on the “View” menu to access “Tree View”. Enter the “Distinguished name” in it.
  • Step 9 – Click “OK” to view deleted objects:CN=Deleted Objects,DC=www,DC=domain,dc=com
  • Step 10 – Right-click the user and click the “Modify” command to access the given dialog box
  • Step 11 – In “Edit Entry Attribute” type “IsDeleted”.
  • Step 12 – Select the “Delete” option and click “Enter”.
  • Step 13 – Type distinguished name in the “Edit Entry Attribute” text box. Select “Replace” under “Operation”.
  • Step 14 – Make sure that you select the “Extended” checkbox.

The object can be restored to the root domain but cannot be restored to its parent Organizational unit. After recovering the object, you have to move the object to its parent container manually.

Method 3 – Using Active Directory Administrative Center

Follow the below-given steps to recover deleted objects in Windows Server 2012 and Windows Server 2012 R2:

  • Step 1 – Navigate to start and type dsac.exe. Open “Active Directory Administrative Centre”.
  • Step 2 – In the left pane click the domain name and select the “Deleted Objects” container in the context menu.
  • Step 3 – Right-click the container and click “Restore” to restore the deleted objects.

Privacy Matters

Support.com is committed to your privacy
We do not share or sell your data to third parties. We do use cookies and other third-party technologies to improve our site and services. The California Consumer Privacy Act (CCPA) gives you the ability to opt out of the use of cookies, third-party technologies and/or the future sale of your data. Do not sell my personal information.

Support.com is committed to your privacy
Read our Privacy Policy for a clear explanation of how we collect, use, disclose and store your information

©2024 RealDefense LLC. Support.com is a trademark owned by RealDefense LLC.
PRIVACY
TERMS OF USE