Restoring deleted objects in Active Directory.

In AD, you can use the following tools to restore deleted objects:

• PowerShell
• LDP utility
• Active Directory Administrative Center (applicable for Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012)

For any of the above methods to work, the native AD Recycle Bin must be enabled. If Recycle Bin is not enabled, most object attributes will be removed when the objects are deleted. The objects can still be restored, but the missing attributes will have to be manually added back.

On the other hand, if the Recycle Bin is enabled, the objects and all their attributes are preserved for the tombstone lifetime period, which can be set by changing the msDS-deletedObjectLifetime attribute.

Before you enable the AD recycle bin, ensure that the domain and forest functional levels are at least at Windows Server 2008 R2.

Note: Once the AD Recycle Bin has been enabled, it cannot be disabled. 

To enable the AD Recycle Bin, execute the following command in PowerShell:

If you use Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, you can use the Active Directory Administrative Center to enable the Recycle Bin.

• In the management console, navigate to Tools ➝ Active Directory Administrative Center.
• From the left pane, select the Domain for which you wish to enable the Recycle Bin.
• In the Tasks on the right-hand side of the screen, select Enable Recycle Bin.
• A dialog box appears with a message that explains that this action is irreversible. Click OK. 
• Enabling the Recycle Bin will make changes in the configuration partition. Wait for AD replication to complete. This process may take a while if your organization has a large AD infrastructure.

To restore a deleted object, open PowerShell and type in the following command: 

Here, $dn is the distinguished name of the object to be restored. To find the distinguished name of the object, use the following script in PowerShell:

To find the distinguished name of the object and to perform the restoration, use the following script in PowerShell:

Here, %OLD_NAME% is the name of the object before being deleted. 

• Open the Command Prompt. Type ldp.exe and press the Enter key to start the ldp.exe utility. 
• Open the Connect dialog box by navigating to Connection ➝ Connect.
• Enter the domain name and the default port number (389).
• Click OK.
• Navigate to Connect ➝ Bind, or click Ctrl + B to open the Bind dialog box.
• Select Bind as currently logged on user and click OK.
• Navigate to Options ➝ Controls, or press the Ctrl + L shortcut.
• Navigate to Load Predefine ➝ Return Deleted objects and click OK.
• Navigate to View ➝ Tree. Provide the distinguished name of the deleted objects container in the space provided. In this case, CN=Deleted Objects,DC=zylker,dc=com.
• Click OK to view deleted objects.
• Expand the container in the left pane.
• Locate the deleted object in the left pane.
• Right-click the object and click Modify.
• In the dialog box that appears, type IsDeleted in the Edit Entry Attribute field.
• Select the Delete option and click Enter.
• Type distinguishedName in the Edit Entry Attribute field, and provide the distinguished name of the object in the Values field.
• Make sure that the Extended checkbox is selected.
• Click Run to restore the object. 

Note: When you restore the objects present inside the organizational unit (OU), make sure that the distinguished name you provide contains the name of its parent OU. If the parent OU is not mentioned, the object will be restored to the root domain, and you’ll have to manually move it to the correct OU.

• Open the Active Directory Administrative Center from the Start menu.
• In the left pane, click the domain name and select the Deleted Objects container under it. 
• Select the deleted object, and click the Restore button in the right pane.

• Searching for specific deleted objects using PowerShell and LDP utility is time-consuming.
• By default, tombstoned user and computer objects don’t contain the password (Unicode-pwd), and thus the restored user and computer accounts' passwords are not restored. Restored user accounts’ passwords have to be reset, and the computer objects must be added back to the domain manually by the sysadmin. For user and computer passwords to be restored, the value of the searchFlag attribute on the Unicode-pwd schema object must be changed from 0 to 8.
• Native Recycle Bin has to be enabled to perform complete restorations, which can increase the size of the Directory Information Tree (DIT).
• Objects that have exceeded the tombstone life cycle period cannot be restored.

ManageEngine's RecoveryManager Plus enables you to overcome all the shortcomings of the native tools while adding more value with the addition of its other capabilities. 

With RecoveryManager Plus, you can restore objects with all their attributes intact, even if the native Recycle Bin is not enabled; this is possible because RecoveryManager Plus comes bundled with its own Recycle Bin feature. All AD objects that have been deleted can be found there, and you can even preview the attributes that will be restored along with the object. You can also use the available filters to limit the search results to required object type (user, OU, group, etc.), or search for the deleted object by name. 

RecoveryManager Plus is a better alternative to native tools: no endless PowerShell scripting; no need to sift through countless entries to find the deleted object, like in LDP utility.

Besides restoring deleted objects, RecoveryManager Plus is a multifaceted tool with several capabilities that make it a must-have for sysadmins who want total control over the contents of their AD.

Learn more about the various features that RecoveryManager Plus has to offer.