When an object is deleted from Active Directory it is not gone for good yet, for a certain retention period (180 days by default) it's possible to restore it. If Active Directory Recycle Bin is activated restoring the object is simple.
If AD Recycle Bin is not enabled, the deleted object is stripped from most of it's properties and it's stored as a tombstone container in AD until the retention period elapses.
Examples of Querying Deleted Active Directory users
# List all deleted AD users
Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects -Properties *
# Query a specific deleted user called Ben by SamAccountName
Get-ADObject -Filter {SamAccountName -eq "ben"} -IncludeDeletedObjects -Properties *
# Query a specific deleted user if we know the SID
Get-ADObject -Filter {objectSid -eq "S-1-5-21-3248668488-3435716276-1094588311-1109"} -IncludeDeletedObjects -Properties *
Restore Deleted AD User from AD Recycle Bin
# Restore the deleted AD user from the Active Directory Recycle Bin
Get-ADObject -Filter {UserPrincipalName -eq "ben@protectigate.com"} -IncludeDeletedObjects -Properties * | Restore-ADObject
Note: if AD Recycle Bin is not enabled, the following procedure will not work. That case the object needs to be restored from it's tombstone, using the built-in ldp.exe utility in Windows.
Output (deleted object)
The output of the command reveals many attributes of the deleted account, such as the display name, SamAccountName, UserPrincipalName, location before it was deleted, etc.
If the AD Recycle Bin is not enabled, certain properties, like the UserPrincipalName, etc will be missing from the deleted object.
PS C:\> Get-ADObject -Filter {SamAccountName -eq "ben"} -IncludeDeletedObjects -Properties * | Format-List *
* click on the illustration to enlarge
Leave a Comment