Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Restoring Deleted Active Directory Objects/Users

December 21, 2020 Active DirectoryPowerShell

Restoring Deleted Active Directory Objects/Users

After removing any object in Active Directory (a user, a group, a computer or an OU), you can restore it. In this article we’ll show how to restore a removed object in AD using PowerShell and graphical tools.

First of all, let’s see what happens when you delete an object from the AD. AD behavior when removing objects depends on whether the Active Directory Recycle Bin is enabled or not (it is disabled by default). In both cases, the object is not removed physically, it is only marked as deleted (the isDeleted attribute value is changed to true) and moved to a special Deleted Objects container  (it is not displayed in AD mmc snap-ins). However, if the AD Recycle Bin is enabled, all attributes and membership are kept.

By default, you can restore a removed object within 180 days (it is defined in the msDS-deletedObjectLifetime domain attribute). If the period is over, the object still remains in the Deleted Objects container, but most of its attributes and links are cleared (Recycled Object). After the tombstoneLifetime period (it is also 180 days by default, but you can increase it), the object is completely removed from AD during an automatic cleanup and cannot be restored (you can only restore such an object from an AD domain controller backup).

Contents:
  • Active Directory Recycle Bin
  • How to Restore a Deleted User Account in Active Directory?
  • How to Restore a Deleted OU and Its Nested Objects Using PowerShell?

Active Directory Recycle Bin

AD Recycle Bin is available in Active Directory starting from Windows Server 2008 R2 functional level. In previous Windows Server versions, you may also restore AD objects, but it requires a complex set of actions using special tools: ntdsutil (up to authoritative restore from an AD backup in the Directory Service Restore Mode) or ldp.exe  Also, with the AD Recycle Bin you won’t lose object attributes and group membership.

Check the AD forest functional level (in my example, it is Windows2016Forest):

Get-ADForest |Select-Object forestmode

This command and the following ones require Active Directory for PowerShell module installed.

Get-ADForest forestmode

Make sure that the AD Recycle Bin is enabled for your domain (it is disabled by default):

Get-ADOptionalFeature “Recycle Bin Feature” | select-object name,EnabledScope

If the EnabledScope value is not empty, it means that the Active Directory Recycle Bin is enabled for your domain.

Get-ADOptionalFeature “Recycle Bin Feature”

If you want to enable the Active Directory Recycle Bin, use the Enable-ADOptionalFeature cmdlet:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=ConfigurationDC=woshub,DC=com’ –Scope ForestOrConfigurationSet –Target ‘woshub.com’

Note. The AD Recycle Bin must be enabled prior to removing an object from the domain. After enabling the Active Directory Recycle Bin feature, you cannot disable it.

How to Restore a Deleted User Account in Active Directory?

Let’s try to delete an AD user and then restore them from the AD Recycle Bin.

Using the Get-ADUser cmdlet, display the value of the IsDeleted attribute of a user (it is empty):

get-aduser jsanti -Properties *| Select-Object IsDeleted,whenDeleted

Then remove the user account:

Remove-ADUser jsanti

get-aduser is deleted properties

To find a removed user account in the AD Recycle Bin, use the Get-ADObject cmdlet with the IncludeDeletedObjects parameter:

Get-ADObject -Filter 'Name -like "*santi*"' –IncludeDeletedObjects

Get-ADObject find deleted user IncludeDeletedObjects

As you can see, the user was found in the Deleted Objects container.

Check the value of the IsDeleted attribute, the container the user was located in prior to being removed (LastKnownParent) and the list of groups the user was a member of:

Get-ADObject -Filter 'Name -like "*santi*"' –IncludeDeletedObjects -Properties *| select-object Name, sAMAccountName, LastKnownParent, memberOf, IsDeleted|fl

Get-ADObject IncludeDeletedObjects - find properties

If you don’t remember the name of the user you have deleted, you can display a full list of objects available in the Active Directory Recycle Bin:

Get-ADObject –filter {Deleted -eq $True -and ObjectClass -eq "user"} –includeDeletedObjects

To restore a user account, copy the ObjectGUID value and run the following command:

Restore-ADObject -Identity ‘aa704b7f-b003-4a21-8f62-53c75caa67b2

Or you can restore a user using its SAMAccountName:

Get-ADObject -Filter 'SAMAccountName -eq "jsanti"' –IncludeDeletedObjects | Restore-ADObject

Open the ADUC console (dsa.msc) and make sure that the user account has been restored in the same OU it was located prior to the removal.

restored AD user with all attributes and group membership

You can also restore a deleted user account object from the graphical console of the Active Directory Administrative Center.

  1. Run the dsac.exe;
  2. Find the Deleted Objects container. It contains all the deleted AD objects;
  3. Click the object you want to restore and select Restore (to restore to the original container) or Restore to (to restore to another AD Organizational Uni).

restore user from deleted object container in active directory

In the same way, you can restore a deleted group, a computer or a container in Active Directory.

To restore a deleted security group:

Get-ADObject -Filter { Deleted -eq $True -and ObjectClass -eq 'group' -and Name -like '*Allow*' } –IncludeDeletedObjects| Restore-ADObject –verbose

To restore a computer:

Get-ADObject -Filter { Deleted -eq $True -and ObjectClass -eq 'computer' -and Name -like '*PCCA-sdd9302*' } –IncludeDeletedObjects| Restore-ADObject –verbose

How to Restore a Deleted OU and Its Nested Objects Using PowerShell?

For example, you had the Protect object from accidental deletion option disabled for an OU, and you have occasionally deleted the OU with all its users, computers and groups.

Nested OU recovery in Active Directory when "Protect object from accidental deletion" option is disavled

First of all, you must restore the root OU:

Get-ADObject -Filter {Deleted -eq $True -and ObjectClass -eq 'organizationalunit' -and Name -like '*California*'} –IncludeDeletedObjects| Restore-ADObject

Then restore all nested OUs:

Get-ADObject -Filter {Deleted -eq $True -and ObjectClass -eq 'organizationalunit' -and LastKnownParent -eq 'OU=California,DC=woshub,DC=com'} –IncludeDeletedObjects| Restore-ADObject

After that, you can restore all deleted objects in the OUs using the LastKnownParent parameter (users, computers, groups and contacts):

Get-ADObject -Filter {Deleted -eq $True} –IncludeDeletedObjects -Properties *| Where-Object LastKnownParent -like '*OU=California,DC=woshub,DC=com'| Restore-ADObject

0 comment
1
Facebook Twitter Google + Pinterest
previous post
Zabbix: Single Sign-On (SSO) Authentication in Active Directory
next post
How to Enable and Configure User Disk Quotas in Windows?

Related Reading

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Changing Desktop Background Wallpaper in Windows through GPO
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top