Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Restore Deleted Objects (Users) in Active Directory

April 8, 2025

Restore Deleted Objects (Users) in Active Directory

When you delete an object in Active Directory (user, group, computer, or OU), it is not permanently removed right away.  Within 180 days, deleted AD objects can be recovered by using graphical tools or PowerShell/console commands.

Contents:
  • Active Directory Recycle Bin on Windows Server
  • How to Restore a Deleted User with AD Recycle Bin
  • Restore Deleted Objects without AD Recycle Bin

When an object is deleted from Active Directory, it is not physically removed from the database, instead, it is marked as logically deleted (the isDeleted attribute value changes to true).  A deleted AD object can be restored within 180 days (the default value set in the msDS-deletedObjectLifetime domain attribute).

Before attempting to restore an accidentally deleted object, check whether the Active Directory Recycle Bin is enabled or disabled in the domain. Your next steps will depend on this.

Active Directory Recycle Bin on Windows Server

The Active Directory Recycle Bin is available in AD starting from the Windows Server 2008 R2 functional level.  This Recycle Bin for deleted objects makes it much easier to restore objects in AD without losing attributes and group memberships.

By default, a removed object can be restored within 180 days (it is defined in the msDS-deletedObjectLifetime domain attribute). When this period expires, the object remains in the Deleted Objects container, but most of its attributes and links are cleared (Recycled Object). After the tombstoneLifetime period expires (also 180 days by default, but it can be increased), the object is completely removed from AD by an automatic cleanup task and cannot be restored (such objects can only be recovered from an AD domain controller backup).

Use PowerShell to verify that the Recycle Bin is enabled in your AD forest (the AD Recycle Bin is disabled by default and can only be enabled manually by the enterprise administrators).

Make sure that the AD forest level is not lower than the Windows2008R2Forest:

Get-ADForest |Select-Object forestmode

Get-ADForest forestmode

This and the following cmdlets require the Active Directory PowerShell module to be installed.

Check if AD Recycle Bin is enabled in the forest

Get-ADOptionalFeature "Recycle Bin Feature" | select-object name,EnabledScope

  • If the EnabledScopes value is not empty. It means that the Active Directory Recycle Bin is already enabled in your domain. In this case, go to the section of this article that describes how to restore deleted items from the AD Recycle Bin.
  • If the Recycle Bin is disabled, you must follow the instructions in the Recovering a deleted user without the AD Recycle Bin section.
 It’s important to understand that you should not enable the AD Recycle Bin after accidentally deleting an AD user, for example. This will only make things worse, as enabling the Recycle Bin is a one-time, irreversible (!!) change to the AD schema that will erase all previously deleted objects. Once enabled, the Active Directory Recycle Bin cannot be disabled.

Get-ADOptionalFeature “Recycle Bin Feature”

Therefore, you should not enable the Recycle Bin until you’re certain that none of the previously deleted AD objects need to be restored

To enable the Active Directory Recycle Bin, use the Enable-ADOptionalFeature cmdlet:

Enable-ADOptionalFeature "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "woshub.com"

Or, more easily, use the Active Directory Administrative Center graphical console (dsac.exe). Launch the ADAC console, connect to the root domain, click on the domain name, and select Enable Recycle Bin.

Enable Recycle Bin in Active Directory

How to Restore a Deleted User with AD Recycle Bin

Let’s look at a simple example of how to restore a deleted object using the Active Directory Recycle Bin. For example, we will delete a user account and then try to restore it from the AD Recycle Bin.

Once the AD Recycle Bin is enabled, all deleted objects are moved to a special hidden container, Deleted Objects. Find this container in the Active Directory Administrative Center console (dsac.exe).

Deleted objects container in AD

All deleted objects are displayed here, including users, computers, contacts, groups, and OUs. Deletion date and original OU (last known parent) are also listed.

To restore an object, right-click on it and choose Restore (to restore to the original OU) or Restore to (to restore it to an arbitrary AD container).

restore user from deleted object container in active directory

When a deleted user is restored from the Recycle Bin, most of the object’s attribute values and its AD group memberships are also restored.

Use the Get-ADUser cmdlet to display the value of the IsDeleted attribute of a user (it is empty):

get-aduser jsanti -Properties *| Select-Object IsDeleted,whenDeleted

Then, remove the user account:

Remove-ADUser jsanti

get-aduser is deleted properties

To find a deleted user account in the AD Recycle Bin, use the Get-ADObject cmdlet with the IncludeDeletedObjects parameter:

Get-ADObject -Filter 'Name -like "*santi*"' –IncludeDeletedObjects

Get-ADObject find deleted user IncludeDeletedObjects

As you can see, the user was found in the Deleted Objects container.

Check the value of the IsDeleted attribute, the container where the user was located before deletion (LastKnownParent), and the list of groups the user was a member of:

Get-ADObject -Filter 'Name -like "*santi*"' –IncludeDeletedObjects -Properties *| select-object Name, sAMAccountName, LastKnownParent, memberOf, IsDeleted|fl

Get-ADObject IncludeDeletedObjects - find properties

If you don’t remember the exact name of the removed user, you can view a complete list of deleted objects in the Active Directory Recycle Bin:

Get-ADObject –filter {Deleted -eq $True -and ObjectClass -eq "user"} –includeDeletedObjects

Copy the ObjectGUID value and run the following command to restore a deleted user account

Restore-ADObject -Identity ‘aa704b7f-b003-4a21-8f62-53c75caa67b2

Or restore a user by using it SAMAccountName:

Get-ADObject -Filter 'SAMAccountName -eq "jsanti"' –IncludeDeletedObjects | Restore-ADObject

Open the ADUC console (dsa.msc) and confirm that the user account has been restored to the same container (OU) it was located in prior to deletion. The user account will be disabled after the restore operation is complete. Enable the AD account and reset the password before giving it to the user.

restored AD user with all attributes and group membership

In the same way, you can restore a deleted group, a computer or a container in Active Directory.

To restore a deleted security group:

Get-ADObject -Filter { Deleted -eq $True -and ObjectClass -eq 'group' -and Name -like '*Allow*' } –IncludeDeletedObjects| Restore-ADObject –verbose

To restore a computer account:

Get-ADObject -Filter { Deleted -eq $True -and ObjectClass -eq 'computer' -and Name -like '*PCCA-sdd9302*' } –IncludeDeletedObjects| Restore-ADObject –verbose

Let’s consider another scenario.  For example, suppose you accidentally deleted an OU with all its nested users, computers, and groups because the Protect object from accidental deletion option was disabled for that OU.

Nested OU recovery in Active Directory when "Protect object from accidental deletion" option is disavled

It is not possible to automatically restore an object and its hierarchy from the AD Recycle Bin. Restore a deleted OU and all its nested objects using a PowerShell script.

  1. First, restore the root OU:
    Get-ADObject -Filter {Deleted -eq $True
    -and ObjectClass -eq 'organizationalunit' -and Name -like
    '*California*'} –IncludeDeletedObjects| Restore-ADObject
  2. Then, restore all nested OUs:
    Get-ADObject -Filter {Deleted -eq $True
    -and ObjectClass -eq 'organizationalunit' -and LastKnownParent -eq
    'OU=California,DC=woshub,DC=com'} –IncludeDeletedObjects|
    Restore-ADObject
  3. No,w recover all deleted objects in these OUs by the LastKnownParent parameter (users, computers, groups, contacts):Get-ADObject -Filter {Deleted -eq $True}
    –IncludeDeletedObjects -Properties *| Where-Object LastKnownParent -like
    '*OU=California,DC=woshub,DC=com'| Restore-ADObject

Restore Deleted Objects without AD Recycle Bin

If the Active Directory Recycle Bin is disabled in your forest, you can restore deleted objects using the ldp.exe utility (a simple but cumbersome method) or the official adrestore.exe tool from Microsoft, which is a faster and more user-friendly option

  1. Download the AdRestore archive (https://learn.microsoft.com/en-us/sysinternals/downloads/adrestore) and extract it on the domain controller
  2. Open an elevated command prompt and list the deleted objects in the domain: .\adrestore64.exe
  3. To get information about a specific removed user, enter the user’s name: .\adrestore64.exe "Anton Grey" adrestore: list deleted object in AD
  4. To restore an object, copy its GUID and run the command: .\adrestore64.exe -r GUID adrestore: recover deleted user by GUID
  5. Confirm the object restore: y
  6. Verify that the user has been restored to the source OU: Get-ADUser -Filter {cn -eq "Anton Grey"}AD user disabled after restoring
  7. After restoring, the user account is disabled, and the password is not set. You must reset the user’s password and enable the account:
    Set-ADAccountPassword agrey -Reset
    Get-ADUser agrey| Enable-ADAccount
    PowerShell: reset user password and enable account

When using this method of restoring objects (as opposed to restoring using the AD Recycle Bin), most user attribute values, including group memberships, will be lost. Only basic attributes such as GUID, SID, CN, etc., will remain.

 If you need to restore a deleted object with all its attributes, a more complex AD backup restore procedure is required. To restore an object authoritatively from an AD domain controller system state backup, use the ntdsutil tool.

Recovering accidentally deleted accounts in AD is much easier with a Recycle Bin. However, the AD Recycle Bin does not replace the need for a full AD backup

0 comment
3
Facebook Twitter Google + Pinterest
Active DirectoryPowerShellWindows Server 2022
previous post
Copy AD Group Membership to Another User in PowerShell
next post
How to Enable and Configure User Disk Quotas in Windows?

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Get-ADDomainController: Getting Domain Controllers Info via PowerShell

July 8, 2022

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

Configuring Password Policy in Active Directory Domain

March 12, 2024

Checking Active Directory Domain Controller Health and Replication

May 15, 2025

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Using WMI Filters to Target Group Policies in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Using Managed Service Accounts (MSA and gMSA) in Active Directory
  • How to Set a User Thumbnail Photo in Active Directory
  • Restoring Active Directory Domain Controller from a Backup
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top