Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
We all make mistakes. In Active Directory (AD), a simple mistake can result in frustrated users and wasted time trying to makes things right. One builtin feature in AD is object 'undeletion', sometimes referred to as 'reanimation' or 'object restoration'.
Contrary to what is often written about on this topic, restoring or undeleting any directory object has been around in Active Directory as a builtin feature for a very long time, since Windows Server 2003 in fact. One of the first utilities to offer object restoration was the AdRestore utility from SysInternals, now owned by Microsoft:
While it worked, it was hard to use.
has also had this capability for nearly a decade, offering a GUI that would show all deleted directory objects, sorting options, and the option to restore any deleted object with a couple of mouse clicks. This is shown in more detail below.
Both Hyena and the AdRestore utility use the same technique to restore a deleted directory object. When a directory object is deleted, it simply gets moved into a different container, although one that is hard to get to in standard AD utilities. Restoring the deleted object is as simple as moving the deleted object back into any standard directory container, assuming you have the right tools to perform this operation.
What gets restored back is another matter: This depends on the version of Windows Server you are using, the functional level, and if certain features are enabled.
As stated, Active Directory has had builtin undelete capabilities since Windows 2003. If using any version of Windows AD prior to Windows 2008 R2, this feature is already present. You will generally want to use a 3rd party tool for accessing the AD deleted objects container and doing any restorations. AdRestore, Hyena, and many others make utilities for doing object undeletions, some even free.
Now for the bad news: The basic undelete capabilities in these Windows versions is rather crude and limited. A restored object will have its directory name, SamAccountName, and not much else restored. In particular, group memberships will not be restored. But what will
be restored is the object's SID, which is of importance because this is what all security assignments are based on. Being able to restore, for example, a group which was assigned security rights to a large amount of data means you don't have to figure out or restore that group's security rights throughout the entire enterprise.
Remember, when a group (or user) gets deleted, the security assignments present in the many ACLs in the enterprise are still there. Restoring the deleted security object will also make these previous security assignments applicable, as they never were removed in the first place.
Windows 2008 R2
With Windows 2008 R2, Microsoft introduced a feature referred to as the 'Recycle Bin'. The Recycle Bin adds to the previous undelete capabilities by allowing more directory attributes (fields) to be restored for deleted objects. In particular, linked attributes, such as the user's group memberships, and a group's members, will be restored along with essentially any other directory attribute.
Because a change to the AD schema is required for this new feature, the Recycle Bin must be enabled before these features can be utilized. A complete description of how the Recycle Bin works, how to enable it, and how to undelete objects can be found in this article:
Active Directory Recycle Bin Step-by-Step Guide
If the Recycle Bin is not enabled, the capabilities for undeleting Active Directory objects in Windows 2008 will be the same as previous versions.
However, Microsoft did not include any additional tools to help manage deleted objects, even if the Recycle Bin is enabled.
Windows 2012 brought new features to the Recycle Bin, making it easier to enable, and in particular, finally providing an easy and visual method of restoring a deleted directory object. This is covered in the following article on the improvements to the Active Directory Administrative Center in 2012:
Introduction to Active Directory Administrative Center Enhancements
Deleting Made Easy
Regardless of the Windows and Active Directory version being used, Hyena has for many years incorporated an Undelete / AD object restoration option. Simply right click on any domain, and select 'View Deleted Objects'. Hyena will prompt for the directory attributes to be displayed for the deleted objects; clicking OK will display all deleted objects in the domain.
In this image, the deleted objects have been sorted by description, and two previous deleted users are selected for Undeletion. In this example, the AD Recycle Bin has been enabled, allowing for the Job Title, Description, and Employee ID to be displayed for easier identification. These attributes will also be restored back into the directory.
The enhanced restoration capabilities in Windows 2008 with the AD Recycle Bin provide for a ready-made safety net for Active Directory administrators.
Click here for more information on Hyena
and how it can improve your Windows and Active Directory management capabilities.