Active Directory (AD) is a widely used directory system, the ability to restore unwanted changes in your AD infrastructure is crucial. When AD objects are deleted, they are placed in the Deleted Objects container (AD recycle bin). There are several methods to restore deleted user accounts, computer accounts, and security groups. These objects are known collectively as security principles. By default, this container is not displayed to an administrator and it must be enabled manually either using either PowerShell, ADAC, or via the LDP.exe utility. For some related content on Active Directory, see the following guides, “AD Authentication methods: Kerberos and NTLM, Concept of AD Computer Account, how to remove Microsoft Exchange Server from AD, and also “the sign-in method you are trying to use is not allowed”, and for a detailed list of articles on Active Directory, visit the following link“.
AD Recycle Bin starting in Windows Server 2008 R2 builds on the existing tombstone reanimation infrastructure and enhances your ability to preserve and recover accidentally deleted AD objects. When you enable AD Recycle Bin, all link-valued and non-link-valued attributes of the deleted AD objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion, e.g., all group memberships and corresponding access rights that they had immediately before deletion, within and across domains. Active Directory Recycle Bin works for both AD DS and AD LDS environmentsSince we have discussed how this can be achieved with the AD Administrative Center, let us discuss other methods to restore deleted accounts in a windows server using LDP.exe utility and PowerShell cmdlets.
Method 1 – PowerShell ADOptionalFeature cmdlet: In order to demonstrate this with PowerShell, I would love to create an AD user account and then delete it afterward. Here are the steps below, see how to create a contact in AD.
– Launch the AD User and Computer
– Click on your OU and create the user account as shown below
Enter some random names you wish as shown below
Enter the password and decide on what properties you want and then click on Next
Finally click on “Finish” to complete the account creation.
Now, the account creation is complete. We can now proceed with the account deletion once more 🙂
Click on Yes to delete the account as shown below.
Now the account has been deleted as it does no longer appear in the list as shown in the figure below.
Next, run the following PowerShell command to determine the GUID and the DN of the object that was deleted etc.
Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" – IncludeDeletedObjects
Run the command given below in Windows PowerShell to restore the deleted object. As you can see, it makes sense to run the command above in order to determine the account name.
Get-ADObject -Filter 'Name -Like "*lab tester*"' -IncludeDeletedObjects | Restore-ADObject
As you can see, the account has been restored. This command will restore the object back to its previous location in the Active Directory after it is retrieved from the “Deleted objects container”.
You can also use this PowerShell command below
Get-ADObject -Filter {displayName -eq "*lab tester*"} IncludeDeletedObjects | Restore-ADObject
If you wish to restore the object to a different OU, use the command below. You will have to enter each cmdlet as shown below in a single line, even though they may appear word-wrapped across several lines here because of formatting constraints See this link for more information.
Get-ADObject -Filter 'Name -Like "*lab tester*"' -IncludeDeletedObjects | Restore-ADObject -TargetPath "OU=users,DC=techdirectarchive,DC=local"
Method 2 – LDP.exe utility: Ldp is a graphical user interface (GUI)-based tool with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying the results of the LDAP operations. LDP lets you perform connect, bind, search, modify, add or delete operations against AD. LDP is used to view objects stored in AD along with their metadata, and attributes.
Note: ldp.exe is available:
– On computers where the Domain Controller role has been installed.
– On computers where Remote Server Administration Tools (RSAT) has been installed.
To run LDP, perform the following steps
- From the Start menu or “Command Prompt”,
- Type “ldp.exe” and press the “Enter” or "OK" key to start the ldp.exe utility.
Note: You can also call this from the command pormpt, just enter ldp.exe" and click on ok
Select “Connect” from the “Connection menu” to show the “Connect” dialog box.
Enter the server name (server’s IP address or Fully Qualified Domain Name (FQDN)) and default port number as 389.
– Click “OK” to establish the connection
if the current machine is located inside an Active Directory. Messages like the following will show in the right panel. This indicates that the connection has been established
To complete the connection with the Domain controller server, we will need to verify the existing user credentials.
– Click on the Connection menu again
– Select Bind as show below
Select the first option “Bind as currently logged on user” and
– Click “OK”.
Click on Controls under the Options menu as shown below
Select “Load Predefined” and click on the Return Deleted objects from drop-down list to access deleted objects.
– Click on OK.
Next, click on Tree” and on the “View” menu to access “Tree”.
Enter the “Distinguished name” as shown below and
CN=Deleted Objects,DC=domain,dc=com
Right-click the user and click “Modify” command to access the given dialog box
In “Edit Entry Attribute” type “IsDeleted” andsSelect “Delete” option and
– Click on “Enter”.
Next, type the distinguished name in the “Edit Entry Attribute” field as shown below.
– Select “Replace” under “Operation”.
– Also, ensure you select “Extended” checkbox.
This was the third option I tested because, the object will be restored to the root domain and cannot be restored to its original OU. After recovering the user object, you have to move the object to its parent container manually.
I do not find this feasible, with PowerShell and ADAC, you can restore back to its original OU and even specify a different OU to move it in.
Other tools capable of restoring AD objects: There are many other tools out there that are capable of performing the same job function.
1: StealthRECOVER: This tool provides point-in-time rollback and recovery of Active Directory objects, attributes, Integrated DNS, and more, allowing organisations to restore objects in their entirety or just the granular attribute information they need. In a nutshell, it allows you to roll back malicious or unwanted changes with a single click.
2: ADRestore Tool: This is a simple command-line utility that enumerates the deleted objects in a domain and gives you the option of restoring each one. Source code is based on sample code in the Microsoft Platform SDK. For more on SysInternal Tool, see the following link1 and link2.
3: Veeam: Veeam provides fast and reliable object‑level recovery for Active Directory from a single‑pass, agentless backup or storage snapshot without the need to restore an entire virtual machine (VM) or use third‑party tools.
– Search and restore for all Active Directory (AD) object types, such as users, groups, computer accounts, and contacts, including user and computer password recovery.
4: Lepide Data Security Platform: Also provides the capability to restore deleted Active Directory objects.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session. I welcome you to follow me on Twitter and Facebook.