How to Restore Deleted Active Directory User?

If you accidentally deleted an Active Directory user, don’t panic. It’s not totally gone. At least not yet. When you delete some objects from Active Directory, it is not deleted immediately. Recovery is still possible.

What Happens to Deleted AD Objects?

First, the object’s isDeleted attribute value changes to True. The deleted object is then moved to a special container — Deleted Objects.

The Deleted Objects container does not appear in the Active Directory Users and Computers snap-in and is unavailable for most service tools.

Deleted objects are permanently removed from AD after 180 days by default, determined by the value of the tombstonelifetime (TSL) attribute by the AD garbage collection automatic process.

If you’re curious to know your TSL value, run any of the commands below. Replace “dc=theitbros,dc=com” with your domain.

Get-ADObject -Identity "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=theitbros,dc=com"-Properties tombstonelifetime 
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=theitbros,dc=com" -scope base -attr tombstonelifetime

So that confirms it! You have 180 days to restore the deleted Active Directory users. But how? Don’t worry. We got you covered.

When you restore deleted Active Directory users, their accounts will be disabled and without a password. It is necessary to enable the account and reset the password before the user can access it and log in.

How to Restore Deleted Active Directory User from the Recycle Bin

The Active Directory Recycle Bin is a feature in Microsoft’s Active Directory Domain Services (AD DS) introduced with Windows Server 2008 R2 and later versions. It provides a way to recover deleted objects (such as user accounts, groups, or computer accounts) in an Active Directory environment.

It’s essential to note that enabling the Recycle Bin requires the forest functional level to be set to Windows Server 2008 R2 or later, and once enabled, it cannot be disabled.

Before going further, as always, be cautious when restoring objects from the Recycle Bin, as restoring a deleted object may reintroduce conflicting attributes, especially if a newer object with the same name was created after the deletion.

Checking the AD Recycle Bin Status

The AD Recycle Bin is not enabled by default. So before you try to restore deleted Active Directory users using this method, you must check if it is already enabled in your environment.

To do so, open PowerShell on your server and run the following command.

Get-ADOptionalFeature "Recycle Bin Feature" | select-object name, EnabledScopes

If the EnabledScopes property is empty, the Recycle Bin is not enabled, and you cannot use it to restore deleted Active Directory users.

Note. Enabling the AD Recycle Bin will permanently clear the Deleted Objects container. So if you plan to restore deleted objects, do not enable the AD Recycle Bin yet. Instead, use the LDP.EXE or ADRESTORE.EXE tools first, which are discussed in the later sections of this post.

On the other hand, the below screenshot shows the result if the AD Recycle Bin is enabled.

Restore Deleted Active Directory User from Active Directory Administrative Center

Once you confirm the AD Recycle Bin is enabled, here’s how to restore deleted Active Directory users using the Active Directory Admin Center (GUI).

1. Open the Active Directory Administrative Center.

   dsac.exe

2. Navigate to Domain → Deleted Objects.
   
3. Select the deleted AD object from the list and click Restore.
   To restore deleted Active Directory users to a different OU, click “Restore To…” instead.
   
4. The deleted AD user has been restored to its original OU. You can now reset the password and enable the account.
   

Restore Deleted Active Directory User from PowerShell

If you’re more of a PowerShell junkie, you’d be glad to know you can restore deleted Active Directory users using the Restore-ADObject cmdlet.

The basic syntax to restore deleted Active Directory Users is:

Restore-ADObject -Identity {AD Object Identity}

The above command will restore deleted Active Directory objects to their original path. But this command requires you to know the identity beforehand.

If you don’t know the AD object’s identity, you must try to find it first. For example, if you know the SAM, you can run the below command to find it.

Get-ADObject -Filter 'samaccountname -eq "jdoe"' -IncludeDeletedObjects

Once you find the exact AD user to restore, copy the DistinguishedName or ObjectGUID value and run this command. Replace the DistinguishedName or ObjectGUID appropriately.

Restore-ADObject -Identity {DistinguishedName or ObjectGUID}

Or you can also pipe the result of the Get-ADUser to the Restore-ADObject in a single command.

Get-ADObject -Filter 'samaccountname -eq "jdoe"' -IncludeDeletedObjects | Restore-ADObject

No output means no errors. After you restore deleted Active Directory users, confirm that it is back by running:

Get-ADUser -Identity {AD Object Identity}

And that’s it! The deleted AD user has been restored. Don’t forget to reset the password and enable the account.

How to Restore Deleted Active Directory User using LDP.EXE

One way to restore deleted Active Directory users, especially if the Recycle Bin is not enabled, is through the LDP.EXE tool. This tool is built into Active Directory servers or installed with the Remote Server Administration Tools (RSAT) on client computers.

In this example, the user John Doe was deleted and will be restored using LDP.

1. Open the LDP tool by running this command:

   ldp.exe

2. Click Connection → Connect. Enter the server name and click OK.
   
3. Click Connection → Bind or press CTRL+B.
   
4. If you’re logged in as a Domain Admins or Enterprise Admins member, select the “Bind as currently logged on user” option. Otherwise, select “Bind with credentials” and enter the credentials with proper permissions.
   
5. If the binding is successful, you’ll see the following result in the console pane.
   
6. Click View → Tree or press CTRL+T.
   
7. Select your domain’s base DN from the dropdown list and click OK.
   
8. Navigate to “DC=DOMAIN,DC=TLD” → “CN=Deleted Objects” and double-click the deleted user. You will see the object’s details on the output pane. As you can see, the isDeleted value is TRUE.
   
9. To restore the deleted AD user, right-click the object and click Modify or press CTRL+M.
   
10. Next, let’s add the entry to delete the value of the “isDeleted” attribute. Type isDeleted in the “Edit Entry Attribute” box, select the “Delete” operation and click Enter. The “[Delete]isDeleted:” operation has been added to the list.
    
11. Let’s add another entry to restore the original distinguishedName of the object before deletion. The original distinguishedName value should be “CN=USER NAME” + the value of the lastKnownParent attribute.
    So the restored DN should be:

    CN=John Doe,OU=Users,OU=California,OU=USA,DC=theitbros,DC=com

    Once you’ve determined the original distinguishedName value, type “distinguishedName” in the “Edit Entry Attribute” box and the object’s original distinguishedName to the Values box and click Enter. Lastly, click Run.
    The output should show no errors if the operation went well.
    

12. Open the Active Directory Users and Computers, locate the restored AD user, and you’ll see it in the original container. Enable the account and reset the password so that the user can log in.
    

How to Restore Deleted Active Directory User using ADRESTORE.EXE

ADRESTORE is a Sysinternals tool designed to search and restore “tombstoned” Active Directory objects through the command line. Unlike the previous method using LDP.EXE, ADRESTORE is purely a command line tool.

1. Download the ADRESTORE tool and extract it to a local folder. In this example, I extracted the tool to C:\tools\ADRestore.
   
2. Open CMD or PowerShell and change the working directory to where you extracted the tool.
   
3. Next, run the following command to search the Deleted Objects container. This example command searches for deleted objects matching the name John Doe.

   .\adrestore.exe "John Doe"

   As you can see below, the command found one matching object, showing its details.
   

4. Copy the GUID from the previous step and run the below command to restore the deleted Active Directory user.

   .\adrestore.exe -r {GUID}

   Press y and Enter to confirm the restoration.
   

5. Lastly, confirm the existence of the restored AD user by running the Get-ADUser cmdlet as follows.

   Get-ADUser -Identity {AD User}

   Verify the user is on the correct AD OU. Again, the restored AD user object is disabled. You must enable it and reset the password before it can be used again.
   

Conclusion

The accidental deletion of Active Directory users can be distressing and troublesome for any organization. However, by following the step-by-step guide outlined in this blog post, you can rest assured knowing there are effective methods to restore deleted Active Directory users and their associated attributes.

Recovering deleted Active Directory users is feasible with the proper knowledge, preparation, and tools.

By proactively safeguarding your Active Directory environment and staying informed about recovery methods, you can mitigate the impact of accidental deletions and maintain a seamless user management experience within your organization.

Remember, prevention is always better than cure, so invest in regular backups and sound security practices to avoid potential data loss scenarios altogether.