Restoring Deleted Objects In Active Directory. - ManageEngine

Restoring deleted objects in Active Directory Native tools to restore deleted objects. How do you enable the AD Recycle Bin? Powershell. LDP utility. Administrative Center. The limitations of native restoration tools.RecoveryManager Plus: Making AD restorations simple. Other key features of RecoveryManager Plus.

Contents:

Native tools to restore deleted objects. How do you enable the AD Recycle Bin? What tools can administrators use?Powershell. LDP utility. Administrative Center. The limitations of native restoration tools.RecoveryManager Plus: Making AD restorations simple. Other key features of RecoveryManager Plus.

If an object in your Active Directory (AD) environment has been deleted and you need to recover it, Microsoft provides a few different ways to do that. This guide will explain the necessary steps to restore deleted AD objects with all their attributes intact.

Native tools to restore deleted objects

In AD, you can use the following tools to restore deleted objects:

• PowerShell
• LDP utility
• Active Directory Administrative Center (applicable for Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012)

For any of the above methods to work, the native AD Recycle Bin must be enabled. If Recycle Bin is not enabled, most object attributes will be removed when the objects are deleted. The objects can still be restored, but the missing attributes will have to be manually added back.

On the other hand, if the Recycle Bin is enabled, the objects and all their attributes are preserved for the tombstone lifetime period, which can be set by changing the msDS-deletedObjectLifetime attribute.

How do you enable the AD Recycle Bin?

Before you enable the AD recycle bin, ensure that the domain and forest functional levels are at least at Windows Server 2008 R2.

Note: Once the AD Recycle Bin has been enabled, it cannot be disabled.

Enabling AD Recycle Bin using PowerShell

To enable the AD Recycle Bin, execute the following command in PowerShell:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=www,DC=zylker,DC=com’ –Scope ForestOrConfigurationSet –Target ‘www.zylker.com’

If you use Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, you can use the Active Directory Administrative Center to enable the Recycle Bin.

Enabling AD Recycle Bin using Active Directory Administrative Center

1. In the management console, navigate to Tools > Active Directory Administrative Center.
2. From the left pane, select the Domain for which you wish to enable the Recycle Bin.
3. In the Tasks on the right-hand side of the screen, select Enable Recycle Bin.
4. A dialog box appears with a message that explains that this action is irreversible. Click OK.
5. Enabling the Recycle Bin will make changes in the configuration partition. Wait for AD replication to complete. This process may take a while if your organization has a large AD infrastructure.

Restoring deleted objects using PowerShell

To restore a deleted object, open PowerShell and type in the following command:

Restore-ADObject -Identity $dn

Here, $dn is the distinguished name of the object to be restored. To find the distinguished name of the object, use the following script in PowerShell:

(Get-ADObject -SearchBase (get-addomain).deletedobjectscontainer -IncludeDeletedObjects -filter "samaccountname -eq '%OLD_NAME%' ")

To find the distinguished name of the object and to perform the restoration, use the following script in PowerShell:

(Get-ADObject -SearchBase (get-addomain).deletedobjectscontainer -IncludeDeletedObjects -filter "samaccountname -eq '%OLD_NAME%' ") | Restore-ADObject

Here, %OLD_NAME% is the name of the object before being deleted.

Figure 1: Restoring AD objects using PowerShell

Want a way to restore deleted objects in AD without scripts?

Try RecoveryManager Plus

Restoring deleted objects using LDP utility

1. Open the Command Prompt. Type ldp.exe and press the Enter key to start the ldp.exe utility.
2. Open the Connect dialog box by navigating to Connection > Connect.
3. Enter the domain name and the default port number (389).
4. Click OK.
5. Navigate to Connect > Bind, or click Ctrl + B to open the Bind dialog box.
6. Select Bind as the currently logged on user and click OK.
7. Navigate to Options > Controls, or press the Ctrl + L shortcut.
8. Navigate to Load Predefine > Return Deleted objects and click OK.
9. Navigate to View > Tree. Provide the distinguished name of the deleted objects container in the space provided. In this case, CN=Deleted Objects,DC=zylker,dc=com.
10. Click OK to view deleted objects.
11. Expand the container in the left pane and locate the deleted object.
12. Right-click the object and click Modify.
13. In the dialog box that appears, type IsDeleted in the Edit Entry Attribute field.
14. Select the Delete option and click Enter.
15. Type distinguishedName in the Edit Entry Attribute field, and provide the distinguished name of the object in the Values field.
16. Make sure that the Extended checkbox is selected.
17. Click Run to restore the object.

Note:When you restore the objects present inside the organizational unit (OU), make sure that the distinguished name you provide contains the name of its parent OU. If the parent OU is not mentioned, the object will be restored to the root domain, and you’ll have to manually move it to the correct OU.

Restoring deleted objects using the AD Administrative Center

1. Open the Active Directory Administrative Center from the Start menu.
2. In the left pane, click the domain name and select the Deleted Objects container under it.
3. Select the deleted object, and click the Restore button in the right pane.

The limitations of native restoration tools

• Searching for specific deleted objects using PowerShell and LDP utility is time-consuming.
• By default, user and computer objects that have exceeded their tombstone lifetime do not retain the password (Unicode-pwd). As a result, when these accounts are restored, their passwords are not recovered. Administrators must reset the passwords for restored user accounts and manually rejoin computer objects to the domain. To restore user and computer passwords, the value of the searchFlag attribute on the Unicode-pwd schema object must be changed from 0 to 8.
• Native Recycle Bin has to be enabled to perform complete restorations, which can increase the size of the Directory Information Tree (DIT).
• Objects that have exceeded the tombstone life cycle period cannot be restored.

RecoveryManager Plus: Making AD restorations simple

ManageEngine's RecoveryManager Plus enables you to overcome all the shortcomings of the native tools while offering enhanced functionality.

With RecoveryManager Plus, you can restore objects with all their attributes intact, even if the native Recycle Bin is not enabled; this is possible because RecoveryManager Plus comes bundled with its own Recycle Bin feature.

All the deleted objects are accessible in the Deleted Objects section under the Quick Recovery tab. You can review attributes of deleted AD objects and restore them to the last known versions before the objects were deleted.

To restore deleted AD objects:

1. Navigate to Active Directory > Active Directory Objects > Quick Recovery > Deleted Objects.
2. Select the domain that contains the deleted objects you would like to restore from the drop-down in the top-left corner.
3. To filter objects, simply click one of the tiles. The options include Total Deleted Objects, Deleted Users, Deleted Groups, and Deleted Group Policy Objects. To filter other objects, use the Object Type drop-down in the table below.
4. Click Restore Location to choose a location for the object to be restored to. If no location is selected, the object will be restored to its original location where it was deleted.
5. Click the link in the Backup Version field in the table to review the attributes and the values of the object that will be restored.
6. Check the boxes beside the objects that you wish to restore and click Restore.

Figure 2: Restoring deleted AD objects using RecoveryManager Plus

RecoveryManager Plus is a better alternative to native tools: no endless PowerShell scripting; no need to sift through countless entries to find the deleted object, like in LDP utility.

Other key features of RecoveryManager Plus

Besides restoring deleted objects, RecoveryManager Plus is a multifaceted tool with several capabilities that make it a must-have for sysadmins who want total control over the contents of their AD.

Features	PowerShell	LDP utility	Active Directory Administrative Center	RecoveryManager Plus
Restore live AD objects to any of their past versions
AD rollback
Granular GPO restoration

Learn more about the various features that RecoveryManager Plus has to offer.

Try out RecoveryManager Plus to experience features like backing up and recovering AD objects, and enjoy included support if you need any assistance.

Get Your Free Trial

• Please enter a business email id
• By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.

Thanks!

Your download is in progress and it will be completed in just a few seconds! If you face any issues, download manually here

More related links

• Recovering nested OUs in Active Directory
• Export Office 365 mailboxes to PST

×

Thank you for downloading!

Your download should begin automatically in 15 seconds. If not, click here to download manually.

Spending a lot of time looking at PowerShell scripts?

Try RecoveryManager Plus and eliminate scripting entirely.

Download now

• By clicking "Download now", you agree to processing of personal data according to the Privacy Policy.

A single pane of glass for AD, Entra ID, Microsoft 365, Google Workspace, Exchange, and Zoho WorkDrive backup. Active DirectoryEntra IDMicrosoft 365ExchangeGoogle WorkspaceZoho WorkDriveHighlightsRelated Products

• » Domain controller recovery
• » Group Backup
• » Computer Backup

• » GPO Backup
• » DNS Backup
• » Contacts Backup

• » User Backup
• » OU Backup
• » Recover User's Group Membership

• » Microsoft Entra ID backup
• » Rollback

• » Incremental backups
• » Cloud data protection

• » Object and attribute-level restoration

• » Microsoft 365 backup
• » OneDrive backup
• » Microsoft 365 data protection

• » Exchange Online backup
• » OneDrive Restoration

• » SharePoint Online backup
• » SharePoint Online Restoration

• » Exchange backup
• » Export to PST

• » Exchange Online backup
• » Backup retention

• » Exchange restoration

• » Backup Retention
• » Granular Restore
• » Version Comparison
• » Cyber Resilience
• » RPO vs RTO

• » Change Rollback
• » Version Management
• » AD Recycle bin
• » Continuous data protection
• » Disaster Recovery Solution

• » Search AD object changes
• » Automatic Backup
• » Change Management
• » Enterprise Backup Solution

• » Active Directory Management & Reporting
• » Real-time Log Analysis and Reporting Solution
• » Microsoft 365 Management & Reporting Tool
• » Active Directory FREE Tools
• » All Windows AD Tools

• » Active Directory Auditing
• » Exchange Server Auditing & Reporting
• » SharePoint Management and Auditing Solution
• » Integrated Identity & Access Management (AD360)

• » Identity security with MFA, SSO, and SSPR
• » File server auditing & data discovery
• » Cloud Security & Log Management
• » Comprehensive threat mitigation & SIEM (Log360)

• » Google mailbox backup
• » Incremental backups
• » Cloud data protection

• » Google user drive backup
• » Backup retention

• » Personal Google account backup
• » Item-level restoration

• » WorkDrive backup
• » Item-level restoration

• » Personal WorkDrive backup
• » Backup retention

• » Incremental backup

• Download
• Live Demo
• Free Edition
• Get Quote
• Buy Now

A single pane of glass for Active Directory, Microsoft Office 365, and Exchange Backup

Free Trial Get Quote Email Download Link