Is it possible to recover Active Directory objects that have been deleted?

After removing any object in Active Directory (a user, a group, a computer or an OU), you can restore it. In this article we’ll show how to restore a removed object in AD using PowerShell and graphical tools.

First of all, let’s see what happens when you delete an object from the AD. AD behavior when removing objects depends on whether the Active Directory Recycle Bin is enabled or not (it is disabled by default). In both cases, the object is not removed physically, it is only marked as deleted (the isDeleted attribute value is changed to true) and moved to a special Deleted Objects container  (it is not displayed in AD mmc snap-ins). However, if the AD Recycle Bin is enabled, all attributes and membership are kept.

By default, you can restore a removed object within 180 days (it is defined in the msDS-deletedObjectLifetime domain attribute). If the period is over, the object still remains in the Deleted Objects container, but most of its attributes and links are cleared (Recycled Object). After the tombstoneLifetime period (it is also 180 days by default, but you can increase it), the object is completely removed from AD during an automatic cleanup and cannot be restored (you can only restore such an object from an AD domain controller backup).

Active Directory Recycle Bin

AD Recycle Bin is available in Active Directory starting from Windows Server 2008 R2 functional level. In previous Windows Server versions, you may also restore AD objects, but it requires a complex set of actions using special tools: ntdsutil (up to authoritative restore from an AD backup in the Directory Service Restore Mode) or ldp.exe  Also, with the AD Recycle Bin you won’t lose object attributes and group membership.

Check the AD forest functional level (in my example, it is Windows2016Forest):

Get-ADForest |Select-Object forestmode

Make sure that the AD Recycle Bin is enabled for your domain (it is disabled by default):

Get-ADOptionalFeature “Recycle Bin Feature” | select-object name,EnabledScope

If the EnabledScope value is not empty, it means that the Active Directory Recycle Bin is enabled for your domain.

If you want to enable the Active Directory Recycle Bin, use the Enable-ADOptionalFeature cmdlet:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=ConfigurationDC=woshub,DC=com’ –Scope ForestOrConfigurationSet –Target ‘woshub.com’

Note. The AD Recycle Bin must be enabled prior to removing an object from the domain. After enabling the Active Directory Recycle Bin feature, you cannot disable it.

How to Restore a Deleted User Account in Active Directory?

Let’s try to delete an AD user and then restore them from the AD Recycle Bin.

Using the Get-ADUser cmdlet, display the value of the IsDeleted attribute of a user (it is empty):

get-aduser jsanti -Properties *| Select-Object IsDeleted,whenDeleted

Then remove the user account:

Remove-ADUser jsanti

To find a removed user account in the AD Recycle Bin, use the Get-ADObject cmdlet with the IncludeDeletedObjects parameter:

Get-ADObject -Filter 'Name -like "*santi*"' –IncludeDeletedObjects

As you can see, the user was found in the Deleted Objects container.

Check the value of the IsDeleted attribute, the container the user was located in prior to being removed (LastKnownParent) and the list of groups the user was a member of:

Get-ADObject -Filter 'Name -like "*santi*"' –IncludeDeletedObjects -Properties *| select-object Name, sAMAccountName, LastKnownParent, memberOf, IsDeleted|fl

If you don’t remember the name of the user you have deleted, you can display a full list of objects available in the Active Directory Recycle Bin:

Get-ADObject –filter {Deleted -eq $True -and ObjectClass -eq "user"} –includeDeletedObjects

To restore a user account, copy the ObjectGUID value and run the following command:

Restore-ADObject -Identity ‘aa704b7f-b003-4a21-8f62-53c75caa67b2

Or you can restore a user using its SAMAccountName:

Get-ADObject -Filter 'SAMAccountName -eq "jsanti"' –IncludeDeletedObjects | Restore-ADObject

Open the ADUC console (dsa.msc) and make sure that the user account has been restored in the same OU it was located prior to the removal.

You can also restore a deleted user account object from the graphical console of the Active Directory Administrative Center.

1. Run the dsac.exe;
2. Find the Deleted Objects container. It contains all the deleted AD objects;
3. Click the object you want to restore and select Restore (to restore to the original container) or Restore to (to restore to another AD Organizational Uni).

In the same way, you can restore a deleted group, a computer or a container in Active Directory.

To restore a deleted security group:

Get-ADObject -Filter { Deleted -eq $True -and ObjectClass -eq 'group' -and Name -like '*Allow*' } –IncludeDeletedObjects| Restore-ADObject –verbose

To restore a computer:

Get-ADObject -Filter { Deleted -eq $True -and ObjectClass -eq 'computer' -and Name -like '*PCCA-sdd9302*' } –IncludeDeletedObjects| Restore-ADObject –verbose

How to Restore a Deleted OU and Its Nested Objects Using PowerShell?

For example, you had the Protect object from accidental deletion option disabled for an OU, and you have occasionally deleted the OU with all its users, computers and groups.

First of all, you must restore the root OU:

Get-ADObject -Filter {Deleted -eq $True -and ObjectClass -eq 'organizationalunit' -and Name -like '*California*'} –IncludeDeletedObjects| Restore-ADObject

Then restore all nested OUs:

Get-ADObject -Filter {Deleted -eq $True -and ObjectClass -eq 'organizationalunit' -and LastKnownParent -eq 'OU=California,DC=woshub,DC=com'} –IncludeDeletedObjects| Restore-ADObject

After that, you can restore all deleted objects in the OUs using the LastKnownParent parameter (users, computers, groups and contacts):

Get-ADObject -Filter {Deleted -eq $True} –IncludeDeletedObjects -Properties *| Where-Object LastKnownParent -like '*OU=California,DC=woshub,DC=com'| Restore-ADObject

Which tools lets you restore a deleted Active Directory object?

What happens when you delete an object from Active Directory?

Is it possible to retrieve deleted objects later?

Can you recover a deleted Active Directory account?