How to restore deleted Active Directory contacts
Last updated on:On this page
Active Directory (AD) contact objects are leaf objects that represent external users in the Global Address List (GAL). Deleting them can disrupt mail flow, remove them from distribution groups, and break synchronization with systems like Microsoft 365.
Once deleted, an AD contact enters the deleted state. There, it remains fully intact for the Deleted Object Lifetime, which is 180 days by default. If not restored, it moves to the Recycled State, where most attributes are stripped. This leaves a tombstone that cannot be fully recovered using native tools. The garbage collection process then permanently deletes the object. However, restoring the AD contact preserves its group memberships, ensuring uninterrupted external communication and directory synchronization.
If an AD contact object has been accidentally deleted from your directory, follow these steps to recover it using the Active Directory Administrative Center (ADAC), PowerShell, and RecoveryManager Plus, the comprehensive AD backup and recovery tool.
- ADAC
- PowerShell
- RecoveryManager Plus
Method 1: Restore deleted AD contacts using the ADAC
The ADAC provides a graphical interface for locating and restoring a deleted AD contact object. Administrators can use this method if the AD Recycle Bin was enabled before the deletion.
Prerequisites
- The AD Recycle Bin must have been enabled before the deletion.
- You must have sufficient permissions to view and restore objects from the Deleted Objects container, such as Domain Admin, Enterprise Admin, or equivalent delegated permissions.
- If you are running the ADAC on a client machine, Remote Server Administration Tools (RSAT) must be installed. To install RSAT on Windows 10 or Windows 11, use the script below:
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
- Ensure the module is loaded using the script below:
Import-Module ActiveDirectory
This method applies to AD domains with a forest and domain functional level of Windows Server 2008 R2 or higher.
Steps
- Launch ADAC.
- On the left pane, select your domain and click the Deleted Objects container.
- Browse the list or use the search bar to locate the deleted contact.
- Click Restore to return the contact to its original OU, or click Restore To to specify a new location.
Limitations
- Restoration requires the AD Recycle Bin to be enabled.
- You cannot restore objects after the tombstone lifetime expires.
- There is no preview of object attributes before restoration.
Method 2: Restore deleted AD contacts using PowerShell
You can use PowerShell to restore deleted AD contacts directly from the Deleted Objects container.
Prerequisites
- You must run PowerShell as an administrator with Domain Admin or delegated permissions.
- The AD PowerShell module must be installed. To install it on Windows 10 or Windows 11, run the script below:
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Ensure the module is loaded using the script below:
Import-Module ActiveDirectory
- Verify the AD Recycle Bin is enabled using the script below:
Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"' | Select-Object Name, EnabledScopes
If the EnabledScopes property is empty, the AD Recycle Bin is not enabled. If it is not enabled, deleted objects cannot be restored using this method and must be recovered using tombstone reanimation or authoritative restore approaches.
When the AD Recycle Bin is enabled
Restore the contact using the display name
If you know the name of the deleted AD contact, run the following script:
Get-ADObject -Filter 'DisplayName -eq "Sharon"' -IncludeDeletedObjects | Restore-ADObject
Restore the contact using the GUID
To avoid errors with duplicate names, use the unique ObjectGUID:
Get-ADObject -Filter 'ObjectGUID -eq "12345678-1234-1234-1234-1234567890ab"' -IncludeDeletedObjects | Restore-ADObject
Restore the contact using email address
If you know the email address associated with the deleted contact, run the following script:
Get-ADObject -Filter 'ObjectClass -eq "contact" -and mail -eq "john.external@example.com"' -IncludeDeletedObjects | Restore-ADObject
Restore contacts in bulk
Restore all deleted AD contact objects:
Get-ADObject -Filter 'ObjectClass -eq "contact"' -IncludeDeletedObjects |
ForEach-Object {
Restore-ADObject -Identity $_.ObjectGUID
}
Restore by deletion time:
$When = (Get-Date).AddDays(-1)
Get-ADObject -Filter 'isDeleted -eq $true -and whenChanged -gt $When' -IncludeDeletedObjects | Restore-ADObject
When the AD Recycle Bin is not enabled
If the AD Recycle Bin is not enabled and an AD contact object is deleted, most of its attributes are not retained, making full recovery difficult.
Microsoft recommends an authoritative restore from a system state backup as the most reliable method. This helps recover the contact with its key attributes and ensures proper replication across domain controllers.
If a backup is not available, tombstone reanimation can be used. However, this only restores the contact object. Attributes like mail, proxyAddresses, and targetAddress must be recreated manually. This method should only be used when an authoritative restore is not feasible.
Use this command to reanimate the contact object:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=zylker,DC=com" -Filter 'ObjectClass -eq "contact" -and Name -like "*External*"' -IncludeDeletedObjects | Restore-ADObject
After restoration, you need to manually reconfigure the contact’s attributes and placement.
Supported parameters
| Parameter | Description |
|---|---|
| -Filter | Specifies a query string to identify the specific object to retrieve. |
| -IncludeDeletedObjects | Searches the Deleted Objects container, which is hidden by default. |
| -SearchBase | Specifies the Distinguished Name of the container to search within. |
| -eq | A logical operator standing for equal to. |
| -gt | A logical operator standing for greater than, often used for timestamps. |
| ObjectGUID | The unique 128-bit identifier assigned to an AD object that never changes. |
| isDeleted | A Boolean attribute that marks whether an object has been moved to the Deleted Objects container. |
Limitations
- Requires scripting knowledge.
- The contact objects' attributes must be manually rebuilt if the AD Recycle Bin is disabled.
- A contact can't be restored if the parent container is missing.
- There's a risk of restoring the wrong objects due to filter errors or typos.
- Bulk restore operations can lead to performance lags.
Method 3: Restore deleted AD contacts using RecoveryManager Plus
Restoring deleted AD contacts using native tools like the ADAC or PowerShell can be complex and time-consuming. These methods require manual validation and scripting and do not allow you to preview objects before restoration.
ManageEngine RecoveryManager Plus is a comprehensive AD backup and recovery solution designed to eliminate these complexities. It provides an easy-to-use, web-based interface where administrators can view, compare, and recover deleted AD objects from a dedicated Recycle Bin. This ensures recovery even if the Recycle Bin is unavailable or the tombstone lifetime expires.
- Navigate to Active Directory > Active Directory Objects > Quick Recovery > Deleted Objects.
- Select the contact you wish to restore and click Restore.
Manage your AD recovery effectively with RecoveryManager Plus
Restoring deleted AD contact objects using native tools can be complex, often requiring re-entering lost data manually. RecoveryManager Plus simplifies this process with a dedicated recovery console that ensures your directory remains intact without the need for complex scripting. By leveraging specialized capabilities to back up and restore AD contact objects, you can recover data instantly instead of relying on manual workarounds. These advanced features help you overcome the limitations of native tools efficiently:
Domain controller backup
Back up domain controllers and restore them instantly in the event of a disaster.
Automated backups
Schedule recurring backups to capture every change in your AD environment without manual intervention.
Granular restoration
Restore the entire domain, specific contact objects, or only the modified attributes without affecting the entire directory.
Change tracking
Monitor changes made to AD objects and undo them instantly from a single dashboard.
Rollback
Revert objects to any previous backed-up state to undo accidental changes.
Best practices for AD recovery
Follow these best practices to strengthen your AD recovery strategy and ensure deleted objects can be restored efficiently when needed.
Perform regular backups: Schedule frequent AD backups based on your organization's Recovery Point Objective to ensure contacts can be restored to their latest versions when required.
Secure backup repositories: Follow the 3-2-1 backup rule and store your AD backups in a secure, isolated location to protect against ransomware.
Implement least privilege access: Ensure that only a limited number of administrators have the permissions required to delete objects.
Monitor critical OUs: Enable Protect object from accidental deletion on all critical OUs to prevent unintended administrative actions.
Perform testing regularly: Periodically test your backup and recovery processes to ensure they work as expected.
Frequently asked questions
A Mail-Enabled Contact can lose email attributes such as mail and proxyAddresses if it is restored as a tombstone while the AD Recycle Bin is disabled. In this state, only the object is recovered, while email-related attributes are not retained.
Recreating a contact generates a new ObjectGUID, which means it will not retain previous attribute values or group memberships. Restoring the original contact object preserves its identity and existing relationships.
An AD contact represents an external user in the directory. A Mail-Enabled Contact is an AD contact with Exchange attributes such as targetAddress and proxyAddresses that make it visible in the GAL. If restored without the AD Recycle Bin, these mail attributes may be lost and need to be reconfigured.