When you delete an object in Windows 2003, like a computer, organizational unit or user account, it will not be physically removed from AD but marked as "deleted" through the isDeleted attribute. At that point, the object will be tombstoned between 60 to 180 days (depending on the service pack level) and it can be recovered.
The command-line tool we are going to use to accomplish the task is AdRestore by Mark Russinovich:
- If we execute adrestore with no parameters, it will return a list of all Tombstoned Objects in our Domain. Since we want to narrow our output, adding a DeletedObejctName, will make the tool return only the matching criteria. For example: c:\>adrestore jdoe.
- Once the Object we want to restore is found, we should execute c:\>adrestore –r ObejctName. The -r switch will make adrestore prompt us for confirmation before restoring the object.
- Finally, the recovered object will be accessible again through AD Users and Computers where we will need to: a) Reset the Password b) Enable the Object c) Rremove the Exchange Attributes, and then Reconnect the Mailbox again.
What attributes are going to be recovered?
ObjectGUID; SAMAccountName; ObjectSid and SIDHistory for Windows Server 2003 SP1, 2.
What attributes are not going to be recovered?
With adrestore we can not recover group membership or the user / group description. They can only be recovered with an AD Authoritative restore, and sometimes that will fail too because some of the links to other objects may not be present anymore.
Can the recovery be done through the GUI?
Download AdRestore v1.1 By Mark Russinovich
Download ADRestore.NET By Guy Teverovsky
Posted by Gabriel Maciel