How to Restore Deleted Active Directory User?

If you accidentally deleted an Active Directory user, you can easily restore it. The fact is that when you delete some object from Active Directory, it is not deleted immediately. First, the value of the isDeleted = true attribute is set for the object, then it is moved to the special container — Deleted Objects.

Objects in the Deleted Objects container do not appear in the Active Directory Users and Computers snap-in and are not available for most service tools. Deleted objects are permanently removed from AD after 180 days (determined by the value of the tombstoneLifetime attribute — TSL) by the AD garbage collection automatic process.

In this article, we will take a look at several scenarios for restoring a deleted user object in Active Directory. Let’s run the Active Directory Users & Computers snap-in and delete the user Jon Brion.

How to Restore Deleted Users in Active Directory Using PowerShell?

To find the removed user account properties, you can use the following PowerShell command:

Get-ADObject -Filter 'SAMAccountName -eq "jbrion"' –IncludeDeletedObjects

Deleted : True

DistinguishedName : CN=Jon Brion.ADEL:3c206e08-a114-429b-b122-cad9d10b37e7,CN=Deleted Objects,DC=theitbros,DC=com

Name : Jon Brion.

DEL:3c206e08-a114-429b-b122-cad9d10b37e7

ObjectClass : user

ObjectGUID : 3c206e08-a114-429b-b122-cad9d10b37e7

As you can see from the DistinguishedName, this user account is moved to the Deleted Objects container.

If you don’t know the exact username for restore, you can list all deleted user accounts in the domain with the command:

Get-ADObject –filter {Deleted -eq $true -and ObjectClass -eq "user"} –includeDeletedObjects|format-table

Using the parameters returned by the previous command, you can restore the user object. We prefer to use ObjectGUID. To restore an object, use the command:

Restore-ADObject -Identity '3c206e08-a114-429b-b122-cad9d10b37e7'

Or you can restore the user object with a PowerShell one-liner:

Get-ADObject -Filter 'SAMAccountName -eq "jbrion"' –IncludeDeletedObjects | Restore-ADObject -identity

In this case, the user account is restored to the same AD OU.

Note. Take a look at how to import/export Active Directory users with CSVDE.

If you feel uncomfortable in the PowerShell CLI, you can restore the user from the Active Directory Administrative Center graphical snap-in (dsac.exe). Choose your domain > Deleted Objects container. This container contains all of the deleted AD objects.

In order to restore the user in Active Directory, click on the account and select the Restore menu item.

Active Directory Recycle Bin

Previous ways should successfully restore the deleted user if you enabled AD recycle bin feature in your Active Directory forest. To check if the feature is enabled, run the following command:

Get-ADOptionalFeature “Recycle Bin Feature” | select-object name, EnabledScopes

If the EnabledScopes value is empty, then the AD Recycle Bin is disabled in your forest. When the AD Recycle Bin is disabled, the Restore-ADObject cmdlet returns an error:

Restore-ADObject : Illegal modify operation. Some aspect of the modification is not permitted

To enable the AD Recycle Bin feature (requires at least Windows2008R2Forest Active Directory forest functional level), run the following command with the Enterprise administrator permissions:

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target theitbros.com

Hint. When you enable the AD Recycle Bin, the Deleted Objects container is being cleared. You cannot use the Restore-ADObject to restore objects that were deleted before the AD Recycle Bin was enabled.

If the AD Recycle Bin is disabled, you can use the free AdRestore tool from Sysinternals to restore objects in Active Directory. Download the AdRestore archive and extract it to your local drive.

To restore a deleted user account, simply specify its GUID as an argument:

adrestore -r 45ac5afa-ddb5-4382-85d4-5c1ce6716f11

Confirm restoration of the object. A “Restore succeeded” message should appear.

Restoring Deleted AD Users with LDP Tool

If the AD Recycle Bin is not enabled in your domain, you can recover a deleted user object using the LDP.exe tool. LDP is a built-in Windows Server tool that can be used to manage the Active Directory database.

Run the Ldp.exe utility as a domain or enterprise administrator (only members of these groups can view and restore objects in the Deleted Objects container).

Select Connect in the Connection menu and specify the name of the domain controller to which you want to connect and LDAP port number 389 (when running ldp.exe locally on a DC, you can specify localhost here);
Next, you need to enable the option to show hidden objects. Select Options > Control. Select Return Deleted Objects in the Load Predefined list and click Check in. This will add the object id 1.2.840.113556.1.4.417 to the list of active control items;
If an error appears in the LDP console:

Server error: 000004DC: LdapErr: DSID-0C090A22, comment: In order to perform this operation a successful bind must be completed on the connectionYou need to select Bind from the Connection menu, check the option Bind type: Bind as currently logged on user;
Then open the View menu and select Tree View;
Specify DC=theitbros,DC=com in the BaseDN field;
Expand the domain root and select the Deleted Objects container. It should contain a list of deleted objects;
Right-click on the user you want to restore and select Modify;
To restore the AD object, you need to remove the deletion flag. Type isDeleted in the Edit Entry Attribute. Select Delete in the Operation field, and press Enter;
Then you need to move the user to the original container. It is specified in the lastKnownParent attribute;
Enter the distinguishedName attribute name in the input field. In the Values field, enter CN=Jon Brion,OU=Users,OU=California,OU=USA,DC=theitbros,DC=com (this is the user’s original DN). As an operation, select Replace and click Enter again;
Check the items Synchronous and Extended, then click Run and Close.