If an object has been deleted in your Active Directory, and you want it recovered, there are a number of things you can do. This article will take you through some background information on what happens to deleted Active Directory objects and what your options are when it comes to restoring them.

Cycle of deleted objects

Take a look at the following images of the cycle of a deleted object in the Active Directory before and after enabling “Active Directory Recycle Bin”:

Figure 1: Lifecycle of a deleted Active Directory Object before enabling Recycle Bin
Figure 2: Lifecycle of a deleted Active Directory Object after enabling Recycle Bin

Enabling the Active Directory Recycle Bin gives you more leeway when it comes to restoring a deleted object. Best to enable it!

Enable Active Directory Recycle Bin

Active Directory Recycle Bin can be activated only where all domain controllers are running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2. Note: Enabling Active Directory Recycle Bin is irreversible.

Execute the following command to enable Active Directory Recycle Bin:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=www,DC=domain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘www.domain.com’

If you are using Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, you can use the Active Directory Administrative Center to enable the Recycle Bin.

What happens to a Deleted Active Directory Object?

The following table compares the cycle of a deleted object before and after enabling “Active Directory Recycle Bin”:

BEFORE AFTER
Deleted object enters a “tombstone” state The deleted object enters a “logically deleted” state.
Attribute “IsDeleted” is changed to TRUE value. Attribute “IsDeleted” is changed to TRUE value.
Value of “WhenDeleted” is changed to “Time Changed”.
A unique value is assigned to Windows security descriptor.
RDN is changed to an impossible value.
The object is moved to “Deleted Objects” container (CN=Deleted Objects). The object is moved to “Deleted Objects” container (CN=Deleted Objects).
The object is in the “tombstone” state for is 180 days for Windows Server 2003 SP1/ 2008 and 60 days in Windows Server 2000/2003. The object remains in the “logically deleted” state for a period of 60 to 180 days in Windows Server 2008 R2.
In tombstone state, most of the link-valued and non-linked value attributes are stripped off. As soon as an object enters “logically deleted” state, all the object’s link-valued and non-linked value attributes are preserved by the system. Following attributes are not stripped off: Object- GUID, Object-SID, Object-Dist-Name, USN
A process called “Garbage collector” removes the object from the database after the tombstone state expires. The object moves to “Recycle” state. It remains here for another 60 to 180 days.
The object is completely erased. Most of the attributes are erased.
The object cannot be recovered. After the expiry of recycled state, the garbage collection process starts, and it removes the object from the database.
The object cannot be recovered.
Here the administrator has to use authoritative restoration to restore the deleted objects. The administrator can use PowerShell commands, LDP.exe, and AD administrative Center to restore deleted objects.
Table 1: Comparing the stages of deleted objects before and after enabling the Active Directory Recycle Bin

The tombstone lifetime is between 60 days for Windows Server 2000/2003 and 180 days for Windows Server 2003 SP1/ 2008 (in later versions this can be modified using the ADSIEdit tool).

Connect to the “Configuration” partition, navigate to “CN=Configuration,DC=www,DC=domain,DC=com” and expand it. Right-click “CN=Directory Service” and access its properties. You can edit the “tombstoneLifetime” attribute in “Properties” dialog box and change its value accordingly.

Native Restoration of Deleted Objects

Reanimating deleted objects in Active Directory can be done using several methods. The following are some of the most commonly used native methods for restoring deleted objects in the Active Directory.

Test Case

In this scenario, a user (“testuser3”) has been deleted from the Active Directory. The restoration methods you can use to restore a deleted object have been given below:

Using PowerShell commands

Perform the following steps:

  • Execute the following command in the Active Directory Module for Windows PowerShell and press “Enter”. Run this command to show you the object that has been deleted:

    Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" – IncludeDeletedObjects

    Figure 3: Command displaying the deleted object
  • Copy the displayed value of “Distinguished Name” (you get the name of the deleted user/users from this list):

    DistinguishedName:CN=testuser3\0ADEL:64f1e4dc-7722-4839-9fec90347ad708cb,CN=Deleted Objects,DC=www,DC=domain,DC=com

  • Execute the command given below in Windows PowerShell to restore the deleted object:

    Get-ADObject -Filter {displayName -eq "testuser3"} IncludeDeletedObjects | Restore-ADObject

The object gets restored to its previous location in the Active Directory after it is retrieved from the “Deleted objects container”.

LDP utility

Perform the following steps:

  • In Start menu or “Command Prompt”, type “ldp.exe” and press “Enter” key to start the ldp.exe utility.
  • Select “Connect” from “Connection menu” to show “Connect” dialog box. Enter the domain name and default port number as 389.
  • Click “OK” to establish the connection.
    Figure 4: “Connect” dialog box
  • Click “Bind” in the “Connection” menu to access “Bind” dialog box. Select “Bind as currently logged on user” and click “OK”.
    Figure 5: Bind dialog box
  • Click “Controls” from the “Options” menu to access following dialog box.
    Figure 6: Controls dialog box
  • Click “Return Deleted objects” from “Load Predefined” drop-down list to access deleted objects.
  • Click “OK.”
  • Click “Tree” on the “View” menu to access “Tree View”. Enter the “Distinguished name” in it.
  • Click “OK” to view deleted objects:

    CN=Deleted Objects,DC=www,DC=domain,dc=com

    Figure 7: Displaying the list of deleted objects
  • Right-click the user and click “Modify” command to access the given dialog box.
    Figure 8: Modify dialog box with entries
  • In “Edit Entry Attribute” type “IsDeleted”.
  • Select “Delete” option and click “Enter”.
  • Type distinguished name in the “Edit Entry Attribute” text box. Select “Replace” under “Operation”.
  • Make sure that you select “Extended” checkbox.

The object can be restored to the root domain but cannot be restored to its parent Organizational unit. After recovering the object, you have to move the object to its parent container manually.

Restore deleted objects using Administrative Center

Follow the below given steps to recover deleted objects in Windows Server 2012 and Windows Server 2012 R2:

  • Navigate to start and type dsac.exe. Open “Active Directory Administrative Centre”.
  • In the left pane click domain name and select the “Deleted Objects” container in the context menu.
  • Right-click the container and click “Restore” to restore the deleted objects.
    Figure 9: Deleted object displayed in the “Deleted Objects” container
Native Object Restoration – The Limitations

The backup and restoration capabilities of Active Directory are limited. Here are just a few of those limitations:

  • No in-built report function goes into granular detail.
  • Native methods do not allow you to restore deleted objects that have entered “Recycled” or “Physically deleted” state.
  • You need solid understanding of PowerShell commands and the steps for the LDP.exe. The latter is more complex than former.
  • It does not guarantee the availability of backup anytime and anywhere. The backup locations for the data are local drives and network shares only.
  • It offers only hourly/daily backups.
  • You cannot restore a specific object or attribute.
  • The local policies of objects cannot be restored.
  • Searching for specific objects in the backup is quite time-consuming.
  • It is a daunting task to extract the right set of attributes to be restored from the vast tranche of logs

LepideAuditor – A better way to restore deleted Active Directory objects

There are instances when objects you need are accidentally or intentionally deleted from the Active Directory. In such cases, the Lepide Object Restore Wizard (part of LepideAuditor) enables you to roll-back those changes to their original state in a single click.

It is able to do this by automatically capturing backup snapshots of Active Directory and Group Policy Objects and saving their state at regular intervals. Administrators can use these snapshots to restore the deleted and modified objects.

Using these snapshots, you can restore even those objects which are in a physically deleted or recycled state. After starting the wizard, LepideAuditor lets you select the backup snapshot with which you want to compare the current state of Active Directory. The user reaches at the following page after this comparison and it shows the list of deleted and modified objects in Active Directory.

Figure 10: Lepide Object Restore Wizard

Conclusion

The solution also allows you to recover the Active Directory objects from their tombstone state. You can also right click on any unwanted change or object deletion in Active Directory and click “Rollback Change” to restore the change with a single-click.



Download LepideAuditor for Active Directory

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.