A Guide To Restore Deleted Objects In Active Directory - Lepide

Home » Active Directory Search Deleted Objects Powershell » A Guide To Restore Deleted Objects In Active Directory - Lepide

Maybe your like

What happens to a Deleted Active Directory Object?

The following table compares the cycle of a deleted object before and after enabling “Active Directory Recycle Bin”:

BEFORE AFTER
Deleted object enters a “tombstone” state The deleted object enters a “logically deleted” state.
Attribute “IsDeleted” is changed to TRUE value. Attribute “IsDeleted” is changed to TRUE value.
Value of “WhenDeleted” is changed to “Time Changed”.
A unique value is assigned to Windows security descriptor.
RDN is changed to an impossible value.
The object is moved to “Deleted Objects” container (CN=Deleted Objects). The object is moved to “Deleted Objects” container (CN=Deleted Objects).
The object is in the “tombstone” state for is 180 days for Windows Server 2003 SP1/ 2008 and 60 days in Windows Server 2000/2003. The object remains in the “logically deleted” state for a period of 60 to 180 days in Windows Server 2008 R2.
In tombstone state, most of the link-valued and non-linked value attributes are stripped off. As soon as an object enters “logically deleted” state, all the object’s link-valued and non-linked value attributes are preserved by the system. Following attributes are not stripped off: Object- GUID, Object-SID, Object-Dist-Name, USN
A process called “Garbage collector” removes the object from the database after the tombstone state expires. The object moves to “Recycle” state. It remains here for another 60 to 180 days.
The object is completely erased. Most of the attributes are erased.
The object cannot be recovered. After the expiry of recycled state, the garbage collection process starts, and it removes the object from the database.
The object cannot be recovered.
Here the administrator has to use authoritative restoration to restore the deleted objects. The administrator can use PowerShell commands, LDP.exe, and AD administrative Center to restore deleted objects.
Table 1: Comparing the stages of deleted objects before and after enabling the Active Directory Recycle Bin

Default Tombstone Lifetime and How to Change It

The tombstone lifetime is between 60 days for Windows Server 2000/2003 and 180 days for Windows Server 2003 SP1/ 2008 (in later versions this can be modified using the ADSIEdit tool).

Perform the following steps to check and modify the tombstone lifetime period.

  1. Access ADSI Edit Console.
  2. Connect to “Configuration” partition.
  3. Navigate to “CN=Configuration, DC=www, DC=domain, DC=com” → “CN=”Services”, and expand “CN=Windows NT.”
  4. Right click on “CN=Directory Service” and click “Properties” in the context menu.
  5. In “Properties” dialog box, look for “msDS-deletedObjectLifetime” attribute. It shows the default tombstone lifecycle in days.
    Tombstone Lifetime
    Figure: Tombstone Lifetime Edit
  6. Select “tombstoneLifetime” attribute and click “Edit” to change its value.
  7. You can scroll down and access “tombstoneLifetime” attribute and perform the same steps to change it s value.
    Edit Tombstone
    Figure: Change Tombstone Lifetime

Tag » Active Directory Search Deleted Objects Powershell