How to Restore Deleted AD Objects Using LDP

When an object is deleted from Active Directory, the object is moved to the "Deleted Objects" container and remains there till its tombstone lifetime expires.

(To read more about object deletion and tombstone lifetime, please refer to the following link: http://www.adshotgyan.com/2010/11/tombstone-garbage-collection.html)

Remember the fact that when an object is deleted, three things happens:

1. The object is moved to the "Deleted Objects" container
2. the "IsDeleted" attribute of the object is set to TRUE
3. Majority of the object attributes are stripped off

So in case you wants to recover the object from the "Deleted Objects" container, be prepared to get only a subset of attributes for that object and not all. For all the attributes, you have to use the backup to restore the object.

To recover the object from "Deleted Objects" conatiner, we can achieve this by the following ways:

1. LDP
2. ADRestore (http://www.adshotgyan.com/2010/11/how-to-restore-deleted-ad-objects-using.html)

Scenario:
Domain Name: Contoso.com
DC Name: Win2k3-DC
OU: OU1 and OU2
Users: User1 and User2
Groups: Group1 and Group2

User1 is a member of Group1
User1 and Group1 resides in OU1

User2 is a member of Group2
User2 and Group2 resides in OU2

Lets delete a User

We have not deleted the corrosponding Group. Only the User has been deleted

Connect to the Server using LDP

Once conected, now bind to the Active Directory

Use th Control Box to display the Deleted Object Container. By default, the Deleted Objects Container in not Visible when we connect to the Active Directory and try to browse

Type the name of the Partition whose contents you want to diaplay. Here we have specified the domain partition as the Deleted objects Container is in the domain partition

This lists all the objects that has been deleted from Active Directory but the Garbage Collection Process has not yet run for those objects

The user which we have deleted in step 1 is listed here

Once selected, you can view the attributes of that User on the Right Pane

To restore that user, we have to first remove the IsDeleted Flag for that User. Remember, when an objects is deleted, the IsDeleted Attribute of that objects becomes TRUE. So to restore that user, we need to delete the IsDeleted Flag on that Object

Once the object has been deleted, the Distinguished Name (DN) of that user changes.

DN is equivalent to the location of that object in AD.

Earlier, before deletion, that object use to reside in OU=OU2,DC=Contoao,DC=Com and after deletion the object now resides in CN=DeletedObjects,DC=Contoso,DC=Com

In case you dont remember where the objects was placed in AD before deletion, then this can be known by the attribute "LastKnownParent" which points to the location where the objects use to reside before deletion

After restoration, the object is disabled.

Restoring the object using LDP does NOT restore its Group Membership. To restore the object along with its group membership, use a system state backup to restore the object

Now lets delete an OU and restore the OU using LDP

Notice that restoring the OU does not restores the contents of that OU (Users/Groups). Those have to be restored individually