Restoring Deleted Active Directory Objects/Users

After deleting any object in Active Directory (user, group, computer or OK) it can be restored. In this article we will show you how to restore a deleted object in AD using PowerShell and graphical tools.

First, let’s see what happens when you remove an object from the DA. The behavior of ADs when deleting objects depends on whether the Active Directory Recycle Bin is enabled or not (it is disabled by default). In both cases, the object is not physically deleted, but is marked as deleted (the isDeleted attribute becomes true) and moved to a special container for deleted objects (it does not appear in AD mmc snap-ins). However, if the AD car is activated, all attributes and memberships are retained.

By default, you can restore an object that has been deleted for 180 days (defined in the msDS-deletedObjectLifetime domain attribute). At the end of the period, the object remains in the container of the recycled object, but most of its attributes and references are removed (recycled object). After the expiration of the TombstoneLife period (by default it is also 180 days, but you can raise it), the object is completely removed from AD during the automatic cleanup and cannot be restored (you can only restore such an object from a backup of the AD domain controller).

Active Directory Basket

The AD Recycle Bin is available in Active Directory on the function level of Windows Server 2008 R2 and higher. In earlier versions of Windows Server you can also restore AD objects, but this requires a complex set of actions with special tools: ntdsutil (to restore allowed from AD backup in directory services restore mode) or ldp.exe In addition, the AD Trash will not lose any object attributes or group membership.

Check the level of the AD Forest function (in my example it is Windows2016Forest) :

Get-ADForest |Select forest mode

Get-ADForest mode

Make sure the AD Trash is enabled for your domain (it is disabled by default) :

Get-ADOptionalFeature Trash Feature | select object name, EnabledScope

If EnabledScope is not empty, it means that the Active Directory trash can for your domain is enabled.

To activate the Active Directory Recycle Bin, use the Enable-ADOptionalFeature command:

Enable-ADOptionalFeature -Identity ‘CN=Fecycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=ConfigurationDC=woshub,DC=com’ -Scope ForestOrConfigurationSet -Target ‘’.

Pay attention. The AD Recycle Bin must be activated before an object is removed from the domain. Once activated, the Active Directory Recycle Bin cannot be deactivated.

How can I restore a deleted user account in Active Directory?

Let’s try removing the AD user and then recovering it from the AD Trash.

Use the Get-ADUser cmdlet to display the value of the user’s IsDeleted attribute (it is empty) :

get-aduser jsanti -Properties *| Select-Object IsDeleted, whenDeleted

Then delete the user’s account:

Delete-ADUser jsanti

get-aduser removes the properties

To find a deleted user account in the AD Trash, use the Get-ADObject cmdlet with the parameter IncludeDeletedObjects :

Get-ADObject-Name filter – like *santi*. -Include deleted objects

Get-ADObject finds the remote user IncludeDeletedObjects

As you can see, the user was found in the container with deleted items.

Check the value of the IsDeleted attribute, the container the user was in for deletion (LastKnownParent) and the list of groups the user was a member of:

Get-ADObject-Name filter – like *santi*. -IncludeRemoteObjects -Properties *| select object Name, sAMAccountName, LastKnownParent, memberOf, IsDeleted|fl.

Get-ADObject IncludeDeletedObjects - Property search

If you can’t remember the name of the remote user, you can view a full list of available items in the Active Directory Recycle Bin:

Get-ADObject – Filter {Removed -eq $True – and ObjectClass -eq user} -includingDeletedObjects

To restore the user account, copy the ObjectGUID value and execute the following command:

Restore-ADObject -Identity ‘aa704b7f-b003-4a21-8f62-53c75caa67b2

Or you can restore the user via his SAMAccountName :

Get-ADObject -Filter ‘SAMAccountName -eq jsanti’ -EnableRemoteObjects | Restore-ADObject

Open the ADUC console (dsa.msc) and check that the user account has been restored to the OU where it was before it was deleted.

AD user restored with all attributes and group memberships

You can also restore a deleted user account object from the user interface of the Active Directory Administration Center.

  1. Run dsac.exe ;
  2. Find the container of the removed objects. It contains all deleted AD objects;
  3. Click on the object you want to restore and select Restore (to restore the original container) or Restore To (to restore another AD organizational unit).

Restore the user from the container with deleted objects in Active Directory

In the same way, you can restore an external group, computer or container to Active Directory.

To restore a deleted security group :

Get-ADObject -Filter { Deleted -eq $True – and ObjectClass -eq ‘group’ – and name – as ‘*Allow*’. } -Include deleted objects| Restore ADObject -verbose

How to restore your computer :

Get-ADObject -Filter { Deleted -eq $True – and ObjectClass -eq ‘computer’ – and Name -like ‘*PCCA-sdd9302*”. } -Include deleted objects| Restore ADObject -verbose

How can I restore a deleted OR and its nested objects using PowerShell?

You’ve got z. For example, the Protect Object from Accidental Deletion option is disabled for an OK and would sometimes delete an OK with all users, computers and groups.

The first thing we have to do is restore the OU root:

Get-ADObject -Filter {Removed -eq $True – and ObjectClass -eq ‘organizational unit’ – and Name -like ‘*California*’}. -IncludedDeletedObjects| Restore-ADObject

Then recover all the nested ORs:

Get-ADObject -Filter {Removed -eq $True – and ObjectClass -eq ‘organizationalunit’ – and LastKnownParent -eq ‘OU=California,DC=woshub,DC=com’}. -IncludedDeletedObjects| Restore-ADObject

You can then restore all deleted items in the ORs using the LastKnownParent setting (users, computers, groups and contacts) :

Get-ADObject -Filter {Removed -eq $True} -IncludedDeletedObjects -Properties *| Where-Object LastKnownParent -like ‘*OU=California,DC=woshub,DC=com’| Restore-ADObject

restore deleted active directory user,restore deleted user active directory 2012 without recycle bin,recover deleted user account active directory 2008 r2,restore deleted user active directory 2016,recover deleted active directory user server 2008 r2,restore deleted objects in active directory powershell,active directory recycle bin,how to find deleted users in active directory powershell,adrestore

You May Also Like