• Home  / 
  • Active Directory
  •  /  Active Directory Recycle Bin | How to Solve the Biggest Problems With Restore-ADobject

Active Directory Recycle Bin | How to Solve the Biggest Problems With Restore-ADobject

Restore-ADObject is an Powershell cmdlet to restore Deleted AD Objects from Active directory Recycle bin in Windows Server 2008 R2 and Windows Server 2012 R2 as well.

In the previous versions of Windows Server Operating Systems, we had to perform non authoritative restore or authoritative restore in active directory​ and it totally depends on the issue.

One day, one of my colleagues, accidentally deleted one Organizational Unit having 5 Sub-OU’s and Multiple Active Directory objects like users, computers and groups.

Our helpdesk had lot of calls related to this and it was an big issue in the organization. Our users were not able to work as expected and could not complete their assignments.

After initial troubleshooting we come to know that we have lost one parent OU and 5 Sub OU’s with 300+ User accounts and Computer accounts.

As this is an issue related to deletion of whole OU tree, we have to recognize a way to restore these objects good manner.

So, in this case, we have to first restore our Parent OU, then its Sub OU and then its direct children’s.

In this article, I am not going to show you how to restore 300 + user accounts, but better way to achieve , how to restore ad objects with Powershell in Windows Server 2008 R2 and with GUI in  active directory recycle bin 2012.

Below is the process

Active directory recycle bin

Restore-ADObject : Active Directory Recycle Bin Requirements

Active Directory Recycle bin is introduced in Windows Server 2008 R2 and it requires Forest Function level to be Windows Server 2008 R2. All the domain controllers should have Windows Server 2008 R2 Operating System. So, if you are planning to enable this feature, then upgrade your all Domain Controllers and raise your Forest functional level to Windows Server 2008 R2.

​Also, if you are planning to upgrade it from your 2003 forest to 2008 R2 forest. Then, you have to upgrade your schema and prepare your Active Directory

Note. :- While raising Forest Functional Level to Windows Server 2008 R2, please consider the applications used in your environment

Below are the commands to raise Forest and Domain Functional Levels.

    • Run adprep /forestprep to prepare forest.
    • Run adprep /domainprep /gpprep to prepare domain
    • Run adprep /rodcprep to prepare domain if you have Read Only Domain Controller in your organization.

We can recover deleted objects which are in active directory tombstone lifetime i.e. 180 days for Windows Server 2003 SP1 and above.

Set-ADForestMode to Raise Forest Functional Level to Windows Server 2008 R2

Syntax:

Set-ADForestMode [-Identity] <ADForest> [-ForestMode] <ADForestMode>

Example:

Set-ADForestMode –Identity windowsitexp.com -ForestMode Windows2008R2Forest

Where Windowsitexp.com is your domain name.

Enable-ADOptionalFeature : Powershell to enable AD Recycle Bin

We have to use Active Directory Module for Windows PowerShell to enable Active directory Recycle Bin. Second method is to use Windows Powershell and import Active directory Module.

Import-Module Activedirectory

Syntax:

Enable-ADOptionalFeature -Identity <ADOptionalFeature> -Scope <ADOptionalFeatureScope> -Target <ADEntity>

Example:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=windowsitexp,DC=com’ –Scope ForestOrConfigurationSet –Target ‘windowsitexp.com

OR

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -target ' windowsitexp.com'

We can also enable AD Recycle Bin with ldp.exe and here is the guide for the same.

Restore deleted object from Active directory Recycle Bin in Windows Server 2008 R2

Restore ad object Powershell cmdlet makes our life easier when it comes to restoring deleted object from Deleted Objects Container.

Now, we have to restore deleted Organization Unit, restore deleted ad user, and restore deleted computer accounts & groups.

As Windows Server 2008 R2 does not have ad recycle bin gui, we have to use Get-ADObject and Restore-ADObject to achieve this task and recover deleted ad accounts from Active Directory Recycle Bin.

As Windows Server 2008 R2 does not have GUI version of Active Directory Recycle bin, I have already mentioned that we have to restore deleted objects in active directory with Powershell.

After deletion of objects, active directory adds two attributes IsDeleted and LastKnownParent.

Click to Tweet

IsDeleted is a Boolean value and its set to True or False. Once, we restore object, process uses LastKnownParent attribute to restore it to original Organizational Unit.

Below is the example to show IsDeleted and Lastknownparent attributes.

active directory recycle bin 2012

In this example, you can see after deletion of active directory object, IsDeleted attribute is set to True, and after restoration, attribute is set to False or <not set>.

Deleted property of the object shows blank when we check it with Powershell command​.

Get-ADObject -Filter {displayName -eq "Test001"} -IncludeDeletedObjects​

how to restore ad recycle bin

Restore-ADObject to recover deleted ad account.

​Now, We would restore deleted object which is in tombstone ad, means object which is in deleted object lifetime.

Get-ADObject -Filter {displayName -eq "Test005"} -IncludeDeletedObjects | Restore-ADObject

Click to Tweet
active directory tombstone

​In the above example, we have restored "Test005" account with the help of Powershell from active directory recycle bin. Highlighted "Deleted" property is set to True before restoration, and its showing blank after restoration of active directory object.

So, we are done with the task of restoring single deleted object from ad recycle bin. Now, its time to move on and restore multiple objects.

How to restore multiple deleted Active Directory Objects

As already mentioned in the beginning of the article, our article is all about restoring multiple objects like users, computers, groups and organizational unit.

We have to first restore parent OU and then their children OU’s.

​Let's, test if we can restore child object without restoring Parent OU.

So, it gives an error "Restore-ADObject : The operation could not be performed because the object's parent is either uninstantiated or deleted"​

enable active directory recycle bin

Below is the output of the command


PS C:UsersAdministrator> Get-ADObject -Filter {displayName -eq “Test005”} -IncludeDeletedObjects | Restore-ADObject
Restore-ADObject : The operation could not be performed because the object’s parent is either uninstantiated or deleted
At line:1 char:75
+ Get-ADObject -Filter {displayName -eq “Test005”} -IncludeDeletedObjects | Restor …
+ ~~~~~~
+ CategoryInfo : InvalidOperation: (CN=Test005ADE…=contoso,DC=com:ADObject) [Restore-ADObject], ADExc
eption
+ FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject


​Let's consider,  we only have usernames which are deleted and not its organization units. In this case we have to first find out Parent OU of the deleted objects.

PS C:UsersAdministrator> Get-ADObject -SearchBase “CN=Deleted Objects,DC=contoso,DC=com” -ldapFilter:”(msDs-lastKnownR
DN=Test001)” –IncludeDeletedObjects –Properties lastKnownParent

Deleted : True
DistinguishedName : CN=Test001ADEL:816810c4-5a8b-425b-88eb-006e6dfd1d97,CN=Deleted Objects,DC=contoso,DC=com
LastKnownParent : OU=UsersADEL:64b17bf6-323a-477f-aad9-6d3f68196dc9,CN=Deleted Objects,DC=contoso,DC=com
Name : Test001
DEL:816810c4-5a8b-425b-88eb-006e6dfd1d97
ObjectClass : user
ObjectGUID : 816810c4-5a8b-425b-88eb-006e6dfd1d97
recover from active directory recycle bin

In the above example, we are checking Lastknownparent OU of the Test001 account and its also in the Mangled state and hence we come to know its also deleted.

"Test001" is in the "Users" OU and now find out the LastknownParent of the it.


PS C:UsersAdministrator> Get-ADObject -SearchBase “CN=Deleted Objects,DC=contoso,DC=com” -ldapFilter:”(msDs-lastKnownR
DN=Users)” –IncludeDeletedObjects –Properties lastKnownParent

Deleted : True
DistinguishedName : OU=UsersADEL:64b17bf6-323a-477f-aad9-6d3f68196dc9,CN=Deleted Objects,DC=contoso,DC=com
LastKnownParent : OU=BangloreADEL:1f7db6f8-7ae7-4931-95d6-659892375ff9,CN=Deleted Objects,DC=contoso,DC=com
Name : Users
DEL:64b17bf6-323a-477f-aad9-6d3f68196dc9
ObjectClass : organizationalUnit
ObjectGUID : 64b17bf6-323a-477f-aad9-6d3f68196dc9
restore adobject

​Its time to check LastknownParent for Banglore OU and below command will give us LastknownParent as "DC=contoso,DC=com", means Banglore OU is a Parent OU of all deleted Objects.

Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapFilter:"(msDs-lastKnownRDN=Banglore)" –IncludeDeletedObjects –Properties lastKnownParent





Click to Tweet

restore deleted user active directory

​How to check all deleted objects in ad recycle bin

​As we have clear picture of Parent OU  and its contents, we will move further and restore all the objects.

Get-ADObject -SearchBase “CN=Deleted Objects,DC=contoso,DC=com” -ldapFilter “(objectClass=*)”
-includeDeletedObjects | Format-List Name,ObjectClass,ObjectGuid

Click to Tweet

active directory recycle bin 2008

Restore "Banglore" active directory container with below command.

Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=Banglore)" –IncludeDeletedObjects | Restore-ADObject

Click to Tweet

restore deleted user active directory 2012

We have to restore all the Organizational Units in the Banglore OU.

Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=Banglore,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject

Click to Tweet

active directory recycle bin restore

All the Sub OU's are restored to its original path. But, we are still some steps back to restore all the objects.

If we have multiple objects in each OU, then we have to run below Powershell to restore all the objects for each OU by modifying its DN (OU=Users,OU=Banglore,DC=contoso,DC=com). We are going to restore objects in the "Users" OU. And we don't have to perform restoration operation for each and every object in the active directory recycle bin.

Using this command all the objects will be restored under "OU=Users,OU=Banglore,DC=contoso,DC=com" .

Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=Users,OU=Banglore,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject

Click to Tweet

how to recover deleted user account in active directory 2008


Conclusion

​We are done with the restoration operation and now users are happy to see their accounts are back and they will be able to work like before. Get-ADObject & Restore-ADObject are really useful while recovery of the deleted objects from Active Directory Recycle Bin. And with this method we can achieve the restoration operation smoothly.

Hope you have Enjoyed this article and would love to share with your friends & colleagues. I would be happy to know "How do you restore multiple objects from active directory recycle bin ."

Subscribe For More Content

Get Amazing Stuff in Your Inbox for Free!!!