If you delete an Active Directory user by accident, you may quickly restore it. The truth is that when you delete an object from Active Directory, it doesn’t go away right away. The object’s value for the isDeleted = true property is set first, and then it is moved to the Deleted Objects container.
Objects in the Deleted Objects container aren’t shown in the ADUC console and aren’t accessible using most service tools. The AD garbage collection automatic process deletes deleted objects from AD after 180 days (decided by the value of the tombstoneLifetime attribute—TSL).
We’ll look at a few possibilities for restoring a deleted user object in Active Directory in this article. Let’s utilise the Active Directory Users & Computers snap-in to remove Jon Brion as a user.
To find the removed user account properties, you can use the following PowerShell command:
Get-ADObject -Filter 'SAMAccountName -eq "jbrion"' –IncludeDeletedObjects
Deleted : True
DistinguishedName : CN=Jon Brion.ADEL:3c206e08-a114-429b-b122-cad9d10b37e7,CN=Deleted Objects,DC=solutionviews,DC=com
Name : Jon Brion.
DEL:3c206e08-a114-429b-b122-cad9d10b37e7
ObjectClass : user
ObjectGUID : 3c206e08-a114-429b-b122-cad9d10b37e7
As you can see from the DistinguishedName, this user account is placed to the Deleted Objects container.
If you don’t know the precise username to restore, you can use the command to list all deleted user accounts in the domain:
Get-ADObject –filter {Deleted -eq $true -and ObjectClass -eq "user"} –includeDeletedObjects|format-tableYou can restore the user object using the parameters supplied by the preceding call. ObjectGUID is what we prefer to use. Use the following command to restore an object:
Restore-ADObject -Identity '3c206e08-a114-429b-b122-cad9d10b37e7'Alternately you may use a PowerShell one-liner to restore the user object:
Get-ADObject -Filter 'SAMAccountName -eq "jbrion"' –IncludeDeletedObjects | Restore-ADObject -identityThe user account is restored to the same AD organisational unit in this situation.
You can restore the user from the Active Directory Administrative Center graphical snap-in if you’re uncomfortable with the PowerShell CLI (dsac.exe). Select your domain and then the Deleted Objects container. This container holds all of the AD items that have been erased.
In order to restore user in Active Directory, click on the account and select the Restore menu item.
If the AD recycle bin capability is enabled in your Active Directory forest, the previous methods should successfully recover the deleted user. Run the following command to see if the functionality is enabled:
Get-ADOptionalFeature “Recycle Bin Feature” | select-object name, EnabledScopesIf the EnabledScopes value is empty, then the AD Recycle Bin is disabled in your forest. When the AD Recycle Bin is disabled, the Restore-ADObject cmdlet returns an error:
Restore-ADObject : Illegal modify operation. Some aspect of the modification is not permitted
To enable the AD Recycle Bin feature (requires the AD forest functional level Windows2008R2Forest or higher), run the following command with the Enterprise administrator permissions:
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target solutionviews.comThe Deleted Objects container is purged when you enable the AD Recycle Bin. Restore-ADObject cannot be used to restore items that were removed before the AD Recycle Bin was activated.
If the AD Recycle Bin is deactivated, you can restore objects in Active Directory using Sysinternals’ free AdRestore programme. Download the AdRestore archive to your hard drive and extract it.
Simply offer the GUID of a deleted user account as an input to restore it:
adrestore -r 45ac5afa-ddb5-4382-85d4-5c1ce6716f11
Confirm the object’s repair. A message stating “Restore successful” should appear.
