How to Recover Active Directory Deleted Objects

When you delete an object in Windows 2003, like a computer, organizational unit or user account, it will not be physically removed from AD but marked as "deleted" through the isDeleted attribute. At that point, the object will be tombstoned between 60 to 180 days (depending on the service pack level) and it can be recovered.

The command-line tool we are going to use to accomplish the task is AdRestore by Mark Russinovich:

  • If we execute adrestore with no parameters, it will return a list of all Tombstoned Objects in our Domain. Since we want to narrow our output, adding a DeletedObejctName, will make the tool return only the matching criteria. For example: c:\>adrestore jdoe.
  • Once the Object we want to restore is found, we should execute c:\>adrestore –r ObejctName. The -r switch will make adrestore prompt us for confirmation before restoring the object.
  • Finally, the recovered object will be accessible again through AD Users and Computers where we will need to: a) Reset the Password b) Enable the Object c) Rremove the Exchange Attributes, and then Reconnect the Mailbox again.

What attributes are going to be recovered?

ObjectGUID; SAMAccountName; ObjectSid and SIDHistory for Windows Server 2003 SP1, 2.

What attributes are not going to be recovered?

With adrestore we can not recover group membership or the user / group description. They can only be recovered with an AD Authoritative restore, and sometimes that will fail too because some of the links to other objects may not be present anymore.

Can the recovery be done through the GUI?

Yes, you can use LDP (part of Windows Server 2003 Support Tools) or a really nice utility called ADRestore.NET written by Guy Teverovsky (MVP from Israel), among others.

Download AdRestore v1.1 By Mark Russinovich

Download ADRestore.NET By Guy Teverovsky

Reanimating Active Directory Tombstone Objects

Posted by Gabriel Maciel

3 comments:

Gabriel said...

I forgot to mention that if you want to recover a user that existed in a container (like an OU) that does not exist anymore, you will first need to restore the container and then the user.

Bobby Bartley said...

We use active administrator that can recover active directory objects as well as object passwords, group policies and object security without rebooting into directory services restore while keeping all domain controllers online.

Gabriel Maciel said...

It sounds like an interesting tool. Script Logic has very nice and useful products in general, I highly recommend them.