Restore Deleted Active Directory Objects using Recycle Bin

Restoring AD Objects is easier with Lepide. Check out our solution
x
Or Deploy With Our Virtual Appliance
10 min read | Updated On - December 20, 2023
In This Article

If an object has been deleted in your Active Directory, and you want it recovered, there are a number of things you can do. This article will take you through some background information on what happens to deleted Active Directory objects and what your options are when it comes to restoring them.

Cycle of Deleted Objects

Take a look at the following images of the cycle of a deleted object in the Active Directory before and after enabling “Active Directory Recycle Bin”:

Life cycle of a deleted AD Object before enabling Recycle Bin
Figure 1: Life cycle of a deleted Active Directory Object before enabling Recycle Bin
Lifecycle of a deleted AD Object after enabling Recycle Bin
Figure 2: Lifecycle of a deleted Active Directory Object after enabling Recycle Bin

Enabling the Active Directory Recycle Bin gives you more leeway when it comes to restoring a deleted object. Best to enable it!

What is Active Directory Recycle Bin and How to Enable It?

What is AD Recycle Bin

The Active Directory Recycle Bin is a feature in the Active Directory Domain Services (AD DS) that allows administrators to restore deleted Active Directory objects, such as user accounts, groups, and computers, without the need to restore from a backup. This feature provides a safety net for the accidental deletion of objects and helps reduce the effort and cost of restoring from a backup.

When an object is deleted from Active Directory, it is not immediately removed from the database. Instead, it is moved to a special container called the “Deleted Objects” container, where it remains for a specified period of time, known as the “tombstone lifetime.” After the tombstone lifetime has passed, the object is permanently deleted and cannot be recovered.

The Active Directory Recycle Bin changes this behavior by allowing deleted objects to be restored within a specified time period, even after the tombstone lifetime has passed. When the Recycle Bin feature is enabled, deleted objects are moved to the Recycle Bin instead of the Deleted Objects container, where they can be restored if necessary.

The Recycle Bin feature provides an easy-to-use interface for restoring deleted objects, reducing the effort and cost of restoring from a backup. It also reduces the risk of restoring an older version of an object from a backup, which can introduce inconsistencies into the directory. Additionally, the Recycle Bin is a more efficient solution for restoring objects compared to restoring from a backup, as it does not require a full database restore.

How to Enable AD Recycle Bin

Active Directory Recycle Bin can be activated only where all domain controllers are running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2. Note: Enabling Active Directory Recycle Bin is irreversible.

Execute the following command to enable Active Directory Recycle Bin:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=www,DC=domain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘www.domain.com’

If you are using Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012, you can use the Active Directory Administrative Center to enable the Recycle Bin.

What happens to a Deleted Active Directory Object?

The following table compares the cycle of a deleted object before and after enabling “Active Directory Recycle Bin”:

BEFORE AFTER
Deleted object enters a “tombstone” state The deleted object enters a “logically deleted” state.
Attribute “IsDeleted” is changed to TRUE value. Attribute “IsDeleted” is changed to TRUE value.
Value of “WhenDeleted” is changed to “Time Changed”.
A unique value is assigned to Windows security descriptor.
RDN is changed to an impossible value.
The object is moved to “Deleted Objects” container (CN=Deleted Objects). The object is moved to “Deleted Objects” container (CN=Deleted Objects).
The object is in the “tombstone” state for is 180 days for Windows Server 2003 SP1/ 2008 and 60 days in Windows Server 2000/2003. The object remains in the “logically deleted” state for a period of 60 to 180 days in Windows Server 2008 R2.
In tombstone state, most of the link-valued and non-linked value attributes are stripped off. As soon as an object enters “logically deleted” state, all the object’s link-valued and non-linked value attributes are preserved by the system. Following attributes are not stripped off: Object- GUID, Object-SID, Object-Dist-Name, USN
A process called “Garbage collector” removes the object from the database after the tombstone state expires. The object moves to “Recycle” state. It remains here for another 60 to 180 days.
The object is completely erased. Most of the attributes are erased.
The object cannot be recovered. After the expiry of recycled state, the garbage collection process starts, and it removes the object from the database.
The object cannot be recovered.
Here the administrator has to use authoritative restoration to restore the deleted objects. The administrator can use PowerShell commands, LDP.exe, and AD administrative Center to restore deleted objects.
Table 1: Comparing the stages of deleted objects before and after enabling the Active Directory Recycle Bin

Default Tombstone Lifetime and How to Change It

The tombstone lifetime is between 60 days for Windows Server 2000/2003 and 180 days for Windows Server 2003 SP1/ 2008 (in later versions this can be modified using the ADSIEdit tool).

Perform the following steps to check and modify the tombstone lifetime period.

  1. Access ADSI Edit Console.
  2. Connect to “Configuration” partition.
  3. Navigate to “CN=Configuration, DC=www, DC=domain, DC=com” → “CN=”Services”, and expand “CN=Windows NT.”
  4. Right click on “CN=Directory Service” and click “Properties” in the context menu.
  5. In “Properties” dialog box, look for “msDS-deletedObjectLifetime” attribute. It shows the default tombstone lifecycle in days.
    Tombstone Lifetime
    Figure: Tombstone Lifetime Edit
  6. Select “tombstoneLifetime” attribute and click “Edit” to change its value.
  7. You can scroll down and access “tombstoneLifetime” attribute and perform the same steps to change it s value.
    Edit Tombstone
    Figure: Change Tombstone Lifetime

Methods to Restore Deleted Active Directory Objects

Reanimating deleted objects in Active Directory can be done using several methods. The following are some of the most commonly used native methods for restoring deleted objects in the Active Directory.

Test Case – In this scenario, a user (“testuser3”) has been deleted from the Active Directory. You can use following methods to restore a deleted object:

  • Method 1 – Using PowerShell commands
  • Method 2 – Using LDP utility
  • Method 3 – Using AD Recycle Bin (Active Directory Administrative Center)

Note- The Active Directory Recycle Bin should be enabled if you are using any of the above mentioned method. In case, AD Recycle Bin is not enabled then most object attributes will be removed when the objects were deleted. You have to be manually added them after restoring the objects.

1. Restore AD Objects Using AD Recycle Bin (Active Directory Administrative Center)

Follow the below given steps to recover deleted objects in Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012:

  • Step 1 – Navigate to start and type dsac.exe. Open “Active Directory Administrative Centre”.
  • Step 2 – In the left pane click domain name and select the “Deleted Objects” container in the context menu.
  • Step 3 – Right-click the container and click “Restore” to restore the deleted objects.
    Deleted Objects
    Figure 9: Deleted object displayed in the “Deleted Objects” container

2. Restore AD Objects Using LDP Utility

Perform the following steps:

  • Step 1 – In Start menu or “Command Prompt”, type “ldp.exe” and press “Enter” key to start the ldp.exe utility.
  • Step 2 – Select “Connect” from “Connection menu” to show “Connect” dialog box. Enter the domain name and default port number as 389.
  • Step 3 – Click “OK” to establish the connection.
    Connect dialog box
    Figure 4: “Connect” dialog box
  • Step 4 – Click “Bind” in the “Connection” menu to access “Bind” dialog box. Select “Bind as currently logged on user” and click “OK”.
    bind dialog box
    Figure 5: Bind dialog box

  • Step 5 – Click “Controls” from the “Options” menu to access following dialog box.
    controls dialog box
    Figure 6: Controls dialog box
  • Step 6 – Click “Return Deleted objects” from “Load Predefined” drop-down list to access deleted objects.
  • Step 7 – Click “OK.”
  • Step 8 – Click “Tree” on the “View” menu to access “Tree View”. Enter the “Distinguished name” in it.
  • Step 9 – Click “OK” to view deleted objects:

    CN=Deleted Objects, DC=www, DC=domain, dc=com

    displaying deleted objects
    Figure 7: Displaying the list of deleted objects
  • Step 10 – Right-click the user and click “Modify” command to access the given dialog box
    modify dialog box
    Figure 8: Modify dialog box with entries
  • Step 11 – In “Edit Entry Attribute” type “IsDeleted”.
  • Step 12 – Select “Delete” option and click “Enter”.
  • Step 13 – Type distinguished name in the “Edit Entry Attribute” text box. Select “Replace” under “Operation”.
  • Step 14 – Make sure that you select “Extended” checkbox.

The object can be restored to the root domain but cannot be restored to its parent Organizational unit. After recovering the object, you have to move the object to its parent container manually.

3. Restore AD Objects Using PowerShell Commands

Perform the following steps:

  • Step 1 – Execute the following command in the Active Directory Module for Windows PowerShell and press “Enter”. Run this command to show you the object that has been deleted:

    Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" – IncludeDeletedObjects
    Command displaying the deleted object
    Figure 3: Command displaying the deleted object
  • Step 2 – Copy the displayed value of “Distinguished Name” (you get the name of the deleted user/users from this list):

    DistinguishedName: CN=testuser3\0ADEL:64f1e4dc-7722-4839-9fec90347ad708cb, CN=Deleted Objects, DC=www,DC=domain, DC=com

  • Step 3 – Execute the command given below in Windows PowerShell to restore the deleted object:

    Get-ADObject -Filter {displayName -eq "testuser3"} IncludeDeletedObjects | Restore-ADObject

    The object gets restored to its previous location in the Active Directory after it is retrieved from the “Deleted objects container”

The Limitations of Restoring Objects by Using Native Methods

The backup and restoration capabilities of Active Directory are limited. Here are just a few of those limitations:

  • No in-built report function goes into granular detail.
  • Native methods do not allow you to restore deleted objects that have entered “Recycled” or “Physically deleted” state.
  • You need solid understanding of PowerShell commands and the steps for the LDP.exe. The latter is more complex than former.
  • It does not guarantee the availability of backup anytime and anywhere. The backup locations for the data are local drives and network shares only.
  • It offers only hourly/daily backups.
  • You cannot restore a specific object or attribute.
  • The local policies of objects cannot be restored.
  • Searching for specific objects in the backup is quite time-consuming.
  • It is a daunting task to extract the right set of attributes to be restored from the vast tranche of logs

How Lepide Helps to Restore Deleted Active Directory Objects

There are instances when objects you need are accidentally or intentionally deleted from the Active Directory. In such cases, the Lepide Object Restore Wizard (part of Lepide Data Security Platform) enables you to roll-back those changes to their original state in a single click.

It is able to do this by automatically capturing backup snapshots of Active Directory and Group Policy Objects and saving their state at regular intervals. Administrators can use these snapshots to restore the deleted and modified objects.

Using these snapshots, you can restore even those objects which are in a physically deleted or recycled state. After starting the wizard, Lepide Data Security Platform lets you select the backup snapshot with which you want to compare the current state of Active Directory. The user reaches at the following page after this comparison and it shows the list of deleted and modified objects in Active Directory.

Lepide Object Restore Wizard
Figure 10: Lepide Object Restore Wizard

The solution also allows you to recover the Active Directory objects from their tombstone state.

Lepide Restore AD Objects
Figure 11: Select Deleted Items to Restore

You can also right click on any unwanted change or object deletion in Active Directory and click “Rollback Change” to restore the change with a single-click. Click here to read more about Lepide Object Restore Wizard

Check out our Active Directory Object Restore Solution
x
Or Deploy With Our Virtual Appliance
Learn More...

Restoring AD Objects is easier with Lepide. Check out our solution

x
Or Deploy With Our Virtual Appliance
Learn More...