27 November, 2010

How to Restore Deleted AD Objects Using ADRestore

When an object is deleted from Active Directory, the object is moved to the "Deleted Objects" container and remains there till its tombstone lifetime expires.

(To read more about object deletion and tombstone lifetime, please refer to the following link: http://www.adshotgyan.com/2010/11/tombstone-garbage-collection.html)

Remember the fact that when an object is deleted, three things happens:

1. The object is moved to the "Deleted Objects" container
2. the "IsDeleted" attribute of the object is set to TRUE
3. Majority of the object attributes are stripped off

So in case you wants to recover the object from the "Deleted Objects" container, be prepared to get only a subset of attributes for that object and not all. For all the attributes, you have to use the backup to restore the object.

To recover the object from "Deleted Objects" conatiner, we can achieve this by the following ways:

1. LDP (http://www.adshotgyan.com/2010/11/how-to-restore-deleted-ad-objects-using_27.html)
2. ADRestore

Scenario:
Domain Name: Contoso.com
DC Name: Win2k3-DC
OU: OU1 and OU2
Users: User1 and User2
Groups: Group1 and Group2

User1 is a member of Group1
User1 and Group1 resides in OU1
User2 is a member of Group2
User2 and Group2 resides in OU2


Lets delete a User (User1)


ADRestore has to be manually downloaded
http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx


ADRestore is a cmd line tool
The switch we need to use to recover is "-r" which will prompt us the name of the object before restoring it. If -r switch is not used then all the objects which are present in the "deleted objects" are restored



Here we got a prompt to restore the user which we deleted (User1)



Once the object is restored, the object is not Enabled


We need to manually enable that object


The object cannot be enabled till we reset the password. So in case you are restoring the users using ADRestore, be prepared to get a new password for all those restored users


Lets have a look into the user membership. Earlier before deletion, this user was a member of group1. After restration, the membership has been set to default. So in case you are restsring users (and thats too in bulk) using ADRestore, the biggest chanllange that you will face is to grant the membership to all these users again. This is still easy if all the users have the same membership as from Windows 2003 onwards, you can select all the users in one go and then add them to a particular group. But what if different users are members of different group...:(


Now lets delete both user and group from this OU


Now using ADRestore, you have to restore both the user and the group. If you have deleted a user and a group, and the user being a member of that group, now if you restore the user, it will not restore the group automatically. We have to individually restore the user and the group







Just like the user, the group membership will also be set to default


Lets add the membership back


Now, lets delete the complete OU containing a User and a Group

This time, we will not restore the user or the group. Instead, we will restore the OU



Here we got an option to restore the OU



Lets now check, if we were able to restore the User and the Group Automatically... No
We just got our OU back and not the User/Group. So that means that the User/Group has to be again restored individually

Note: In this scenario, if we directly try to restore a user/group whose OU has been deleted, you will then get a error saying that the parent ou was not found,. It will not automatically restore the OU if you try to restore the User/Group