If an object has been deleted in your Active Directory, and you want it recovered, there are a number of things you can do.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to to restore active directory objects/users.
In this context, we shall look into what happens to deleted Active Directory objects and what your options are when it comes to restoring them.
How to Restore Deleted Active Directory Objects/Users?
After removing any objects/users in Active Directory we can restore them using PowerShell and graphical tools.
Enabling Active Directory Recycle Bin ensures to keep all attributes and memberships while removing any object/user
Here the removal of an object is not done physically but shown as deleted and moved to a special Deleted Objects container.
Generally, we can restore a removed object within 180 days by default. And if the period is over, the object will be available in the Deleted Objects container.
How to enable Active Directory Recycle Bin ?
AD Recycle Bin is available in Active Directory starting from Windows Server 2008 R2 functional level.
In the older versions also we can restore with the help of some additional tools.
With the AD Recycle Bin, we will not lose object attributes and group membership.
Steps to follow are given below:
We must ensure that the Active Directory for PowerShell module is available before giving the following commands
1. First check the AD forest functional level:
Get-ADForest |Select-Object forestmode2. Then check whether AD Recycle Bin is enabled for our domain:
Get-ADOptionalFeature “Recycle Bin Feature” | select-object name,EnabledScopeWhen we see that the EnabledScope value is not empty, we can understand that Active Directory Recycle Bin is enabled.
3. To enable the Active Directory Recycle Bin, use the Enable-ADOptionalFeature cmdlet:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=ConfigurationDC=bob,DC=com’ –Scope ForestOrConfigurationSet –Target 'ibmimedia.com'How to restore Deleted Active Directory User Account ?
We can see how restoring deleted Active Directory Objects/Users with the help of AD Recycle Bin.
Steps to follow to delete an AD user and then restore it from the AD Recycle Bin is given below;
1. Firstly by using the Get-ADUser cmdlet, display the value of the IsDeleted attribute of a user (it is empty):
get-aduser jsanti -Properties *| Select-Object IsDeleted,whenDeleted2. Then remove the user account:
Remove-ADUser jsanti</code3. To find the user account in the AD Recycle Bin, we can use the Get-ADObject cmdlet with the IncludeDeletedObjects parameter:
Get-ADObject -Filter 'Name -like "*santi*"' –IncludeDeletedObjectsWe will be able to see the user in the Deleted Objects container.
4. Next we can check the value of the IsDeleted attribute;
Get-ADObject -Filter 'Name -like "*santi*"' –IncludeDeletedObjects -Properties *| select-object Name, sAMAccountName, LastKnownParent, memberOf, IsDeleted|flIn order to display a full list of objects available in the Active Directory Recycle Bin:
Get-ADObject –filter {Deleted -eq $True -and ObjectClass -eq "user"} –includeDeletedObjectsTo restore a user account, copy the ObjectGUID value, and run the following command:
Restore-ADObject -Identity ‘aa704b7f-b003-4a21-8f62-53c75caa67b2Or we can restore a user using its SAMAccountName:
Get-ADObject -Filter 'SAMAccountName -eq "jsanti"' –IncludeDeletedObjects | Restore-ADObjectWe can also restore the user account object from the graphical console of the Active Directory Administrative Center.
1. First run the dsac.exe
2. Then find the Deleted Objects container.
3. After that click the object we want to restore and select Restore.
In the same way, we can restore a deleted group, a computer, or a container in Active Directory.
1. Restoring security group:
Get-ADObject -Filter { Deleted -eq $True -and ObjectClass -eq 'group' -and Name -like '*Allow*' } –IncludeDeletedObjects| Restore-ADObject –verbose2. To restore a computer:
Get-ADObject -Filter { Deleted -eq $True -and ObjectClass -eq 'computer' -and Name -like '*PCCA-sdd9302*' } –IncludeDeletedObjects| Restore-ADObject –verbose3. Restore OU and Its Nested Objects Using PowerShell
i. First, we must restore the root OU:
Get-ADObject -Filter {Deleted -eq $True -and ObjectClass -eq 'organizationalunit' -and Name -like '*California*'} –IncludeDeletedObjects| Restore-ADObjectii. Then restore all nested OUs:
Get-ADObject -Filter {Deleted -eq $True -and ObjectClass -eq 'organizationalunit' -and LastKnownParent -eq 'OU=California,DC=woshub,DC=com'} –IncludeDeletedObjects| Restore-ADObjectAfter that, we can restore all deleted objects in the OUs using the LastKnownParent parameter (users, computers, groups and contacts):
Get-ADObject -Filter {Deleted -eq $True} –IncludeDeletedObjects -Properties *| Where-Object LastKnownParent -like '*OU=California,DC=woshub,DC=com'| Restore-ADObject[Need assistance with Active Directory configuration tasks? We can help you!]
Conclusion
This article will put you through the steps to restore Deleted Active Directory Objects/Users. You can also right click on any unwanted change or object deletion in #Active #Directory and click “Rollback Change” to restore the change with a single-click.
Active Directory #Recycle Bin feature preserves all link valued and non link valued attributes. This means that a restored object will retain all it's settings when restored. By default, a deleted object can be restored within 180 days.
This article will put you through the steps to restore Deleted Active Directory Objects/Users. You can also right click on any unwanted change or object deletion in #Active #Directory and click “Rollback Change” to restore the change with a single-click.
Active Directory #Recycle Bin feature preserves all link valued and non link valued attributes. This means that a restored object will retain all it's settings when restored. By default, a deleted object can be restored within 180 days.
