If an object has been deleted in your Active Directory, and you want it recovered, there are a number of things you can do. This article will take you through some background information on what happens to deleted Active Directory objects and what your options are when it comes to restoring them.
Cycle of Deleted Objects
Take a look at the following images of the cycle of a deleted object in the Active Directory before and after enabling “Active Directory Recycle Bin“:
Enabling the Active Directory Recycle Bin gives you more leeway when it comes to restoring a deleted object. Best to enable it!
What happens to a Deleted Active Directory Object?
The following table compares the cycle of a deleted object before and after enabling “Active Directory Recycle Bin”:
Default Tombstone Lifetime and How to Change It
The tombstone lifetime is between 60 days for Windows Server 2000/2003 and 180 days for Windows Server 2003 SP1/ 2008 (in later versions this can be modified using the ADSIEdit tool).
Perform the following steps to check and modify the tombstone lifetime period.
- Access ADSI Edit Console.
- Connect to “Configuration” partition.
- Navigate to “CN=Configuration, DC=www, DC=domain, DC=com” → “CN=”Services”, and expand “CN=Windows NT.”
- Right click on “CN=Directory Service” and click “Properties” in the context menu.
- In “Properties” dialog box, look for “msDS-deletedObjectLifetime” attribute. It shows the default tombstone lifecycle in days.
Figure: Tombstone Lifetime Edit - Select “tombstoneLifetime” attribute and click “Edit” to change its value.
- You can scroll down and access “tombstoneLifetime” attribute and perform the same steps to change it s value.
Figure: Change Tombstone Lifetime
If you like this, you’ll love this:
Methods to Restore Deleted Active Directory Objects
Reanimating deleted objects in Active Directory can be done using several methods. The following are some of the most commonly used native methods for restoring deleted objects in the Active Directory.
Test Case – In this scenario, a user (“testuser3”) has been deleted from the Active Directory. You can use following methods to restore a deleted object:
- Method 1 – Using AD Recycle Bin (Active Directory Administrative Center)
- Method 2 – Using PowerShell commands
- Method 3 – Using LDP utility
Note- The Active Directory Recycle Bin should be enabled if you are using any of the above mentioned method. In case, AD Recycle Bin is not enabled then most object attributes will be removed when the objects were deleted. You have to be manually added them after restoring the objects.
1. Restore AD Objects Using AD Recycle Bin (Active Directory Administrative Center)
Follow the below given steps to recover deleted objects in Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012:
- Step 1 – Navigate to start and type dsac.exe. Open “Active Directory Administrative Centre”.
- Step 2 – In the left pane click domain name and select the “Deleted Objects” container in the context menu.
- Step 3 – Right-click the container and click “Restore” to restore the deleted objects.
Figure 9: Deleted object displayed in the “Deleted Objects” container
2. Restore AD Objects Using LDP Utility
Perform the following steps:
- Step 1 – In Start menu or “Command Prompt”, type “ldp.exe” and press “Enter” key to start the ldp.exe utility.
- Step 2 – Select “Connect” from “Connection menu” to show “Connect” dialog box. Enter the domain name and default port number as 389.
- Step 3 – Click “OK” to establish the connection.
Figure 4: “Connect” dialog box - Step 4 – Click “Bind” in the “Connection” menu to access “Bind” dialog box. Select “Bind as currently logged on user” and click “OK”.
Figure 5: Bind dialog box - Step 5 – Click “Controls” from the “Options” menu to access following dialog box.
Figure 6: Controls dialog box - Step 6 – Click “Return Deleted objects” from “Load Predefined” drop-down list to access deleted objects.
- Step 7 – Click “OK.”
- Step 8 – Click “Tree” on the “View” menu to access “Tree View”. Enter the “Distinguished name” in it.
- Step 9 – Click “OK” to view deleted objects:
CN=Deleted Objects, DC=www, DC=domain, dc=com
Figure 7: Displaying the list of deleted objects - Step 10 – Right-click the user and click “Modify” command to access the given dialog box
Figure 8: Modify dialog box with entries - Step 11 – In “Edit Entry Attribute” type “IsDeleted”.
- Step 12 – Select “Delete” option and click “Enter”.
- Step 13 – Type distinguished name in the “Edit Entry Attribute” text box. Select “Replace” under “Operation”.
- Step 14 – Make sure that you select “Extended” checkbox.
The object can be restored to the root domain but cannot be restored to its parent Organizational unit. After recovering the object, you have to move the object to its parent container manually.
3. Restore AD Objects Using PowerShell Commands
Perform the following steps:
- Step 1 – Execute the following command in the Active Directory Module for Windows PowerShell and press “Enter”. Run this command to show you the object that has been deleted:
Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" – IncludeDeletedObjects
Figure 3: Command displaying the deleted object - Step 2 – Copy the displayed value of “Distinguished Name” (you get the name of the deleted user/users from this list):
DistinguishedName: CN=testuser3\0ADEL:64f1e4dc-7722-4839-9fec90347ad708cb, CN=Deleted Objects, DC=www,DC=domain, DC=com
- Step 3 – Execute the command given below in Windows PowerShell to restore the deleted object:
Get-ADObject -Filter {displayName -eq "testuser3"} IncludeDeletedObjects | Restore-ADObjectThe object gets restored to its previous location in the Active Directory after it is retrieved from the “Deleted objects container”
The Limitations of Restoring Objects by Using Native Methods
The backup and restoration capabilities of Active Directory are limited. Here are just a few of those limitations:
- No in-built report function goes into granular detail.
- Native methods do not allow you to restore deleted objects that have entered “Recycled” or “Physically deleted” state.
- You need solid understanding of PowerShell commands and the steps for the LDP.exe. The latter is more complex than former.
- It does not guarantee the availability of backup anytime and anywhere. The backup locations for the data are local drives and network shares only.
- It offers only hourly/daily backups.
- You cannot restore a specific object or attribute.
- The local policies of objects cannot be restored.
- Searching for specific objects in the backup is quite time-consuming.
- It is a daunting task to extract the right set of attributes to be restored from the vast tranche of logs
How Lepide Helps to Restore Deleted Active Directory Objects
There are instances when objects you need are accidentally or intentionally deleted from the Active Directory. In such cases, the Lepide Object Restore Wizard (part of Lepide Data Security Platform) enables you to roll-back those changes to their original state in a single click.
It is able to do this by automatically capturing backup snapshots of Active Directory and Group Policy Objects and saving their state at regular intervals. Administrators can use these snapshots to restore the deleted and modified objects.
Using these snapshots, you can restore even those objects which are in a physically deleted or recycled state. After starting the wizard, Lepide Data Security Platform lets you select the backup snapshot with which you want to compare the current state of Active Directory. The user reaches at the following page after this comparison and it shows the list of deleted and modified objects in Active Directory.
The solution also allows you to recover the Active Directory objects from their tombstone state.
You can also right click on any unwanted change or object deletion in Active Directory and click “Rollback Change” to restore the change with a single-click. Click here to read more about Lepide Object Restore Wizard
