Restore AD Objects

Restore AD Objects KB ID 0000096

Problem

Ever since we had Server 2008 R2 we have had the AD recycle bin (which is not enabled by default). Even if you have not enabled the AD Recycle bin, when objects are deleted from AD they are not completely ‘deleted‘ they are simply tombstoned, and they can be restored (for 180 days).

Note: Those object’s when restored WILL lose some of their attributes though!

CAN I RESTORE AD OBJECTS IF I DON’T HAVE THE AD RECYCLE BIN ENABLED?

Yes, but there are some limitations, (if you’re not sure if you have the AD Recycle Bin enabled/disabled scroll down to find out).

1. Items restored need their group membership and other attributes i.e. profile paths etc re-creating

2. If you restore an OU and users that were in that OU then you need to locate the users and move them back into the OU. (though if you deleted an OU with multiple users in it you should be doing an authoritative restore anyway)

Just so we are clear – this is just a “Quick and Dirty” method of getting an object back into AD. It works by locating items that have been “tombstoned” and restoring them. The important part is the user is restored with the same GUID in active directory, so all the permissions assigned to that user are restored. You can do this either by PowerShell or by using ADRestore.exe

WARNING: Enabling the AD Recycle Bin WILL NOT help you restore items that were deleted before you enabled the AD Recycle Bin. In fact, it may even purge all the tombstoned items in AD which is the OPPOSITE of what you might want to do.

Restore AD Objects: Solution

Using Powershell to Restore AD Objects

To demonstrate I’ve created a user ‘Harry Smith’ let’s have a look at some of his user attributes.

Get-ADUser harry.smith | Select-Object SamAccountName, UserPrincipalName, GivenName, Surname, Name, ObjectGuid, SID

Either take a mental note or dump that info into Notepad. Then I’m going to delete Harry.

Remove-ADUser harry.smith

Now let’s ensure we can still see the tombstoned user.

Get-ADObject -Filter 'SAMAccountName -eq "Harry.Smith"' -IncludeDeletedObjects

This will give us the users GUID so we can use that to recover the user object.

Restore-ADObject -Identity f1edc6d8-46b8-409e-ba74-0cf4444acc95 -NewName Harry.Smith

So now if we look at those user attributes again you can see the users GiveName and Surname are empty.

Other things like group membership will also be missing, the user themselves will be disabled, and if we try and enable them this happens (because the password field is also blank).

Using ADRestore.exe to Restore AD Objects

1. Here’s our user.

2. And now someone’s accidentally deleted him!

3. So we’ve downloaded ADRestore.exe and dropped in on the C: drive on the domain controller.

4. From command line simply navigate to the C: drive and issue an “adrestore-r” command.

5. Agree

6. We only have one object here you might have to press (n) for no a few times on other deleted items, We only have one so press (y) for yes.

7. Same again.

8. Here’s our user, notice they are disabled, if you try and enable them…….

9. You will get this error, reset the users password then you can enable them, you will also need to add them back into the correct groups, set up profiles and reconnect mailbox’s etc.

Restore AD Objects: Is AD Recycle Bin Enabled?

Use the following command to find out;

Get-ADOptionalFeature "Recycle Bin Feature" | Select-Object Name, EnabledScopes

If it looks like this, then it is NOT ENABLED.

If it looks like this, then it IS ENABLED.

Enable AD Recycle Bin

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target pnl.com