In this post we go through the process of restoring an accidentally deleted AD user account.
When an object is removed from Active Directory it's not gone forever, or at least not yet. AD has a retention policy to keep removed objects for a certain period of time - 180 days by default - before purging the object forever.
If Active Directory Recycle Bin is enabled, restoring the account is easy. We simply need to locate it and either use PowerShell or Active Directory Administrative Center to restore the account to it's pervious location with all the properties it had eariler.
However, if AD Recycle Bin is not enabled for the domain, restoring the account is still possible, although a little more cumbersome. This case after the AD account is deleted, it's converted to a tombstone container for the retention period. This tombstone object retains most of the account properties, like the SID, samaccount name, displayname, but some attributes will be lost. Those attributes are the UserPrincipalName, Firstname, Lastname, and so on.
To perform an AD object restore, we'll be using LDP.exe which can be found on any domain controllers in the domain.
Oops, the account is deleted!
In this example I delete the user account ''John Doe" and go through the steps of restoring it.
1. I push the Windows key and R together, type in dsa.msc and hit Enter.
2. There I locate the 'John Doe' user account, right-click on it and select 'Delete'.
Restore the deleted AD User account
1. First, open ldp.exe from an elevated command prompt. Right-click on the Windows button, and select either the Command Prompt (Admin) or the Windows PowerShell (Admin) option. There, type in ldp.exe and hit Enter.
2. In Ldp click on Connection / Bind, then select Bind as currently logged on user. Click OK.
3. Next, click on Options / Controls in the upper menu bar. Select the Return deleted objects from the Load Predefined drop-down menu. Click OK.
4. Now we are back to the main ldp.exe window. Click View / Tree in the menu. In the drop-down menu, select the distinguished name of the domain. In our case it's protectigate.com, so the distinguished name is DC=protectigate,DC=com
5. Expand the domain by douple clicking on its name in the left side menu. Locate and expand the CN=Deleted Objects container. Our deleted account will likely be located at the end of the list so scroll down until you find it. Here we are looking for John Doe.
6. Right-click on the object, and select Modify.
In the Attribute box type in isDeleted, set the Operation radio button to Delete, and click on the Enter button.
7. In the next step you'll need the distinguished name of the deleted object. If you are not sure what it was, a little PowerShell action will help.
Open an elevated PowerShell (click on the Start menu, then type in PowerShell, right-click on it and select Run as Administrator) window, and type in the following command. If you have a user with a different name, use that name in the command. This will return the distinguished name we need.
PS C:\> $DeletedUser = Get-ADObject -Filter {Name -like "John Doe*"} -IncludeDeletedObjects -Properties *
PS C:\> "CN=" + $DeletedUser.CN.Split("`n")[0] + "," + $DeletedUser.LastKnownParent
CN=John Doe,OU=Users,OU=My Business,DC=protectigate,DC=com
PS C:\>
7.5. Now return to the ldp window, this time type in DistinguishedName in the Attribute box.
Next, copy the distinguished name itself in the Values field. In our example it is: CN=John Doe,OU=Users,OU=My Business,DC=protectigate,DC=com
Under Operation select the Replace option.
Click Enter.
8. Make sure the Extended box is checked and click on Run.
At this point the account should reappear in the original LDAP location, in this example it's the My Business / Users onganizational unit.
If the account is not restored, check the ldp window for errors. You likely made a typo or made the wrong selection somewhere. For example I forgot to set the Operation option to Replace at step 7.5 and got the following error message:
9. Open dsa.msc and locate the user account. It shows up as disabled, this is it's password was removed during the deletion process, along with some other properties, like UPN and name that we need to manually replace now.
10. Double-click on the user account. Under the General tab fill out the name fields, then switch to the Account tab and set the User logon name to the appropriate value. Our John Doe had the UPN as john.doe@protectigate.com
11. The last thing we need to do is reset the password and enable the account.
Right-click on the account, select Reset Password, then type in the desired value in both the New password and Confirm password fields. Hit OK.
Then right-click on the user one more time and select Enable Account.
Should you have any question or comments please let me know below!
Comments