Restoring deleted objects in Active Directory

In AD, you can use the following tools to restore deleted objects:

• PowerShell
• LDP utility
• Active Directory Administrative Center (applicable for Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012)

For any of the above methods to work, the native AD Recycle Bin must be enabled. If Recycle Bin is not enabled, most object attributes will be removed when the objects are deleted. The objects can still be restored, but the missing attributes will have to be manually added back.

On the other hand, if the Recycle Bin is enabled, the objects and all their attributes are preserved for the tombstone lifetime period, which can be set by changing the msDS-deletedObjectLifetime attribute.

Before you enable the AD recycle bin, ensure that the domain and forest functional levels are at least at Windows Server 2008 R2.

Note: Once the AD Recycle Bin has been enabled, it cannot be disabled.

Enabling AD Recycle Bin using PowerShell

To enable the AD Recycle Bin, execute the following command in PowerShell:

If you use Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, you can use the Active Directory Administrative Center to enable the Recycle Bin.

Enabling AD Recycle Bin using Active Directory Administrative Center

1. In the management console, navigate to Tools > Active Directory Administrative Center.
2. From the left pane, select the Domain for which you wish to enable the Recycle Bin.
3. In the Tasks on the right-hand side of the screen, select Enable Recycle Bin.
4. A dialog box appears with a message that explains that this action is irreversible. Click OK.
5. Enabling the Recycle Bin will make changes in the configuration partition. Wait for AD replication to complete. This process may take a while if your organization has a large AD infrastructure.

To restore a deleted object, open PowerShell and type in the following command:

Here, $dn is the distinguished name of the object to be restored. To find the distinguished name of the object, use the following script in PowerShell:

To find the distinguished name of the object and to perform the restoration, use the following script in PowerShell:

Here, %OLD_NAME% is the name of the object before being deleted.

Figure 1: Restoring AD objects using PowerShell

1. Open the Command Prompt. Type ldp.exe and press the Enter key to start the ldp.exe utility.
2. Open the Connect dialog box by navigating to Connection > Connect.
3. Enter the domain name and the default port number (389).
4. Click OK.
5. Navigate to Connect > Bind, or click Ctrl + B to open the Bind dialog box.
6. Select Bind as the currently logged on user and click OK.
7. Navigate to Options > Controls, or press the Ctrl + L shortcut.
8. Navigate to Load Predefine > Return Deleted objects and click OK.
9. Navigate to View > Tree. Provide the distinguished name of the deleted objects container in the space provided. In this case, CN=Deleted Objects,DC=zylker,dc=com.
10. Click OK to view deleted objects.
11. Expand the container in the left pane and locate the deleted object.
12. Right-click the object and click Modify.
13. In the dialog box that appears, type IsDeleted in the Edit Entry Attribute field.
14. Select the Delete option and click Enter.
15. Type distinguishedName in the Edit Entry Attribute field, and provide the distinguished name of the object in the Values field.
16. Make sure that the Extended checkbox is selected.
17. Click Run to restore the object.

Note:When you restore the objects present inside the organizational unit (OU), make sure that the distinguished name you provide contains the name of its parent OU. If the parent OU is not mentioned, the object will be restored to the root domain, and you’ll have to manually move it to the correct OU.

1. Open the Active Directory Administrative Center from the Start menu.
2. In the left pane, click the domain name and select the Deleted Objects container under it.
3. Select the deleted object, and click the Restore button in the right pane.

• Searching for specific deleted objects using PowerShell and LDP utility is time-consuming.
• By default, user and computer objects that have exceeded their tombstone lifetime do not retain the password (Unicode-pwd). As a result, when these accounts are restored, their passwords are not recovered. Administrators must reset the passwords for restored user accounts and manually rejoin computer objects to the domain. To restore user and computer passwords, the value of the searchFlag attribute on the Unicode-pwd schema object must be changed from 0 to 8.
• Native Recycle Bin has to be enabled to perform complete restorations, which can increase the size of the Directory Information Tree (DIT).
• Objects that have exceeded the tombstone life cycle period cannot be restored.

ManageEngine's RecoveryManager Plus enables you to overcome all the shortcomings of the native tools while offering enhanced functionality.

With RecoveryManager Plus, you can restore objects with all their attributes intact, even if the native Recycle Bin is not enabled; this is possible because RecoveryManager Plus comes bundled with its own Recycle Bin feature.

All the deleted objects are accessible in the Deleted Objects section under the Quick Recovery tab. You can review attributes of deleted AD objects and restore them to the last known versions before the objects were deleted.

To restore deleted AD objects:

1. Navigate to Active Directory > Active Directory Objects > Quick Recovery > Deleted Objects.
2. Select the domain that contains the deleted objects you would like to restore from the drop-down in the top-left corner.
3. To filter objects, simply click one of the tiles. The options include Total Deleted Objects, Deleted Users, Deleted Groups, and Deleted Group Policy Objects. To filter other objects, use the Object Type drop-down in the table below.
4. Click Restore Location to choose a location for the object to be restored to. If no location is selected, the object will be restored to its original location where it was deleted.
5. Click the link in the Backup Version field in the table to review the attributes and the values of the object that will be restored.
6. Check the boxes beside the objects that you wish to restore and click Restore.

Figure 2: Restoring deleted AD objects using RecoveryManager Plus

RecoveryManager Plus is a better alternative to native tools: no endless PowerShell scripting; no need to sift through countless entries to find the deleted object, like in LDP utility.

Besides restoring deleted objects, RecoveryManager Plus is a multifaceted tool with several capabilities that make it a must-have for sysadmins who want total control over the contents of their AD.

Learn more about the various features that RecoveryManager Plus has to offer.