A Step-By-Step Walkthrough to Restore Deleted Objects in Active Directory

A Step-By-Step Walkthrough to Restore Deleted Objects in Active Directory

How to Restore Deleted Active Directory Objects

There's a number of things that one can do to recover deleted AD objects. This article shines light on various methods of restoring deleted AD objects using Microsoft's native offerings.

Enable Active Directory Recycle Bin

Enabling the Active Directory Recycle Bin gives you more leeway when it comes to restoring a deleted object. Best to enable it. Active Directory Recycle Bin can be activated only where all domain controllers are running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2. Note: Enabling Active Directory Recycle Bin is irreversible.

Execute the following command to enable Active Directory Recycle Bin:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=www,DC=domain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘ www.domain.com’
If you are using Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, you can use the Active Directory Administrative Center to enable the Recycle Bin.

Native Restoration of Deleted Objects

Reanimating deleted objects in Active Directory can be done using several methods. The following are some of the most commonly used native methods for restoring deleted objects in the Active Directory.

Test Case

In this scenario, a user (“testuser3”) has been deleted from the Active Directory. You can use following methods to restore a deleted object:

  1. Using PowerShell commands

  2. Using LDP utility

  3. Using Administrative Center

Using PowerShell Commands
Perform the following steps:

Execute the following command in the Active Directory Module for Windows PowerShell and press “Enter”. Run this command to show you the object that has been deleted:
  1. Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" – IncludeDeletedObjects
  2. Copy the displayed value of “Distinguished Name” (you get the name of the deleted user/users from this list):
  3. DistinguishedName:CN=testuser3\0ADEL:64f1e4dc-7722-4839-9fec90347ad708cb,CN=Deleted Objects,DC=www,DC=domain,DC=com
Execute the command given below in Windows PowerShell to restore the deleted object:
  1. Get-ADObject -Filter {displayName -eq "testuser3"} IncludeDeletedObjects | Restore-ADObject
The object gets restored to its previous location in the Active Directory after it is retrieved from the “Deleted objects container”.

Using LDP Utility

Perform the following steps:
  1. In Start menu or “Command Prompt”, type “ldp.exe” and press “Enter” key to start the ldp.exe utility.
  2. Select “Connect” from “Connection menu” to show “Connect” dialog box. Enter the domain name and default port number as 389.
  3. Click “OK” to establish the connection.
  4. Click “Bind” in the “Connection” menu to access “Bind” dialog box. Select “Bind as currently logged on user” and click “OK”.
  5. Click “Controls” from the “Options” menu to access following dialog box.
  6. Click “Return Deleted objects” from “Load Predefined” drop-down list to access deleted objects.
  7. Click “OK.”
  8. Click “Tree” on the “View” menu to access “Tree View”. Enter the “Distinguished name” in it.
  9. Click “OK” to view deleted objects.
  10. CN=Deleted Objects,DC=www,DC=domain,dc=com
  11. Right-click the user and click “Modify” command to access the given dialog box
  12. In “Edit Entry Attribute” type “IsDeleted”.
  13. Select “Delete” option and click “Enter”.
  14. Type distinguished name in the “Edit Entry Attribute” text box. Select “Replace” under “Operation”.
  15. Make sure that you select “Extended” checkbox.
The object can be restored to the root domain but cannot be restored to its parent Organizational unit. After recovering the object, you have to move the object to its parent container manually.

Using Administrative Center

Follow the below given steps to recover deleted objects in Windows Server 2012 and Windows Server 2012 R2:
  1. Navigate to start and type dsac.exe. Open “Active Directory Administrative Centre”.
  2. In the left pane click domain name and select the “Deleted Objects” container in the context menu.
  3. Right-click the container and click “Restore” to restore the deleted objects.
However, the native tools does come with it's own pitfalls. 

Drawbacks of native Active Directory tools

Microsoft provides native solutions to back up and restore domain controllers in case they crash. However, when it comes to object restoration, there are some things that Microsoft’s native backup and recovery tools just can’t do. Here’s a look at the main shortcomings of these tools:
  1. The native backup and recovery tools from Microsoft can’t control attribute-level changes.
  2. They can’t back up all versions of objects; only the last change before the backup is stored.
  3. These tools completely back up AD after every change, which increases the storage required for backups and the cost to maintain security.
  4. Restorations done using native tools require a domain-wide restart, which hinders your organization’s productivity.


    • Related Articles

    • How to Backup and Restore Active Directory

      Why should backup and restoration be performed in Active Directory? Active Directory (AD) plays an important role in managing the network resources of an organization. It is also responsible for other indispensable processes such as authentication ...

    • Active Directory User objects

      A user object in AD is used to represent a real user in an organizational network environment. Say for example Joshua is a new employee in my organization, and I need to allow him accesses to various resources of the organization. All I have to do to ...

    • Active Directory Computer Objects Management

      A computer object in AD is used to model a real computer in an organizational network environment. Say for example, I bought a new computer machine -01 in my organization, and want to allow people to access various organizational resources through ...

    • Active Directory Group Objects Management

      As the self-explanatory name suggests, this object is meant to represent a group. In AD, a group is an object which can contain a collection of users, or computers, or contacts, or even other groups as members .It simplifies administrative burden. ...

    • Active Directory Objects

      Objects are the building blocks of an Active Directory environment. Watch this video to get a brief idea on Active Directory objects, the different types of objects, along with their properties and permissions. ​ ​