Restoring Deleted Active Directory Users/Objects
After deleting any object in Active Directory (a user, a group, a computer, or an organizational unit), you can restore it. In this article, we will show how to restore a deleted object in AD using PowerShell and graphical tools.
First, let's see what happens when you delete an object from AD. The behavior of AD when deleting objects depends on whether the Active Directory Recycle Bin is enabled or not (it is disabled by default). In both cases, the object isn't physically deleted, it's just marked as deleted (the isdeleted attribute value is changed to true) and moved to a special Deleted Objects container (not shown in AD mmc plugins). However, if the AD Recycle Bin is enabled, all attributes and members are preserved.
By default, you can restore a deleted object in 180 days (defined in the msDS-deletedObjectLifetime domain attribute). If the period is over, the object still remains in the Deleted Objects container, but most of its attributes and links are deleted (Recycled Object). After the tombstone period (it's also 180 days by default, but you can increase it), the object is completely removed from AD during an automatic cleanup and cannot be restored (you can only restore said object from a backup of the AD domain controller).Active Directory Recycle Bin
AD Recycle Bin is available in Active Directory starting at the Windows Server 2008 R2 functional level. In earlier versions of Windows Server, you can also restore AD objects, but it requires a complex set of actions using special tools: ntdsutil(up to authorized restore from an AD backup in directory service restore mode) o ldp.exeAdditionally, with the AD Recycle Bin, you won't lose object attributes or group membership.
Check the functional level of the AD forest (in my example it is Windows2016Forest ):
Get-ADForest |Select-Object forestmode
Make sure the AD Recycle Bin is enabled for your domain (it's disabled by default):Get-ADOptionalFeature “Recycle Bin Feature” | select-object name,EnabledScope
If the EnabledScope value is not empty, then the Active Directory Recycle Bin is enabled for your domain.If you want to enable the Active Directory Recycle Bin, use the Enable-ADOptionalFeature cmdlet:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=ConfigurationDC=itinfs,DC=com’ –Scope ForestOrConfigurationSet –Target ‘itinfs.com’
Note: The AD Recycle Bin must be enabled before deleting an object from the domain. After you enable the Active Directory Recycle Bin feature, you cannot disable it.How to restore a deleted user account in Active Directory?
Let's try deleting a user from AD and then restoring it from the AD Recycle Bin.
Using the Get-ADUser cmdlet, display the value of a user's IsDeleted attribute (it's empty):
get-aduser jsanti -Properties *| Select-Object IsDeleted,whenDeleted
Then remove the user account:Remove-ADUser jsanti
To find a deleted user account in the AD Recycle Bin, use the Get-ADObject cmdlet with the IncludeDeletedObjects parameter:Get-ADObject -Filter 'Name -like "*santi*"' –IncludeDeletedObjects
As you can see, the user was found in the Deleted Items container.Check the value of the Is Deleted attribute, the container the user was in before being deleted (LastKnownParent), and the list of groups the user was a member of:
Get-ADObject -Filter 'Name -like "*santi*"' –IncludeDeletedObjects -Properties *| select-object Name, sAMAccountName, LastKnownParent, memberOf, IsDeleted|fl
If you don't remember the name of the user you deleted, you can display a full list of objects available in the Active Directory Recycle Bin:Get-ADObject –filter {Deleted -eq $True -and ObjectClass -eq "user"} –includeDeletedObjects
To restore a user account, copy the ObjectGUID value and run the following command:Restore-ADObject -Identity ‘aa704b7f-b003-4a21-8f62-53c75caa67b2
Or you can restore a user using their SAMAccountName :Get-ADObject -Filter 'SAMAccountName -eq "jsanti"' –IncludeDeletedObjects | Restore-ADObject
Open the ADUC console ( dsa.msc) and make sure that the user account has been restored to the same organizational unit it was in before deletion.You can also restore a deleted user account object from the Active Directory Administrative Center graphical console .
- Run the dsac.exe;
- Find the Deleted Items Container. Contains all deleted AD objects ;
- Click the object you want to restore and select Restore (to restore to the original container) or Restore To (to restore to a different AD OU).
To restore a deleted security group:
Get-ADObject -Filter { Deleted -eq $True -and ObjectClass -eq 'group' -and Name -like '*Allow*' } –IncludeDeletedObjects| Restore-ADObject –verbose
To restore a computer:
Get-ADObject -Filter { Deleted -eq $True -and ObjectClass -eq 'computer' -and Name -like '*PCCA-sdd9302*' } –IncludeDeletedObjects| Restore-ADObject –verbose
How to restore a deleted organizational unit and its nested objects with PowerShell?For example, you had the Protect object from accidental deletion option disabled for an OU, and you have occasionally deleted the OU with all its users, computers, and groups.
First of all, you need to restore the root organizational unit:
Get-ADObject -Filter {Deleted -eq $True -and ObjectClass -eq 'organizationalunit' -and Name -like '*California*'} –IncludeDeletedObjects| Restore-ADObject
Then restore all nested organizational units:Get-ADObject -Filter {Deleted -eq $True -and ObjectClass -eq 'organizationalunit' -and LastKnownParent -eq 'OU=California,DC=woshub,DC=com'} –IncludeDeletedObjects| Restore-ADObject
After that, you can restore all deleted objects in the organizational units using the LastKnownParent (Users, Computers, Groups and Contacts) parameter:Get-ADObject -Filter {Deleted -eq $True} –IncludeDeletedObjects -Properties *| Where-Object LastKnownParent -like '*OU=California,DC=woshub,DC=com'| Restore-ADObject
Post a Comment