How to Restore Active Directory

Users
DATA BACKUP
ACTIVE DIRECTORY & GPO

by Michael (Netwrix) on Feb 21, 2017 at 4:14pm

54

ADVERTISEMENT

IN THE COMMUNITY

Test your wits and sharpen your skills. Take the Challenge

How do you keep up with software licensing and renewals?

in Best Practices

How many of you have degrees (or certs) and what is your job title?

in IT Jobs / Careers

Snap! Windows Server comes to ARM, Apple works to fix CIA zero days

in Snap!
3 Reasons Color Printing Used to Suck

in On The Air

ADVERTISEMENT

Introduction
AD admins need to be able to restore Active Directory objects such as user
accounts, as well fix incorrect modifications and roll back unwanted changes to AD
objects, because unwanted changes or inappropriate deletions can lead to
productivity interruptions and system unavailability. For example, if some
organizational units (OUs) or Active Directory groups or users are improperly
changed or deleted, employees across the organization might not be able to log in,
or might experience trouble accessing the applications they need to do their jobs.

Steps (6 total)
1

Run Powershell
Navigate to Start, choose Administrative Tools, right-click on Active Directory
Module for Windows PowerShell, and click Run as Administrator.

Check the Domain and Forest Modes

Check the domain and forest functional modes using the following commands.
Both must be Windows Server 2008R2 or higher.

Powershell Commands for the Check

(Get-ADDomain).DomainMode
(Get-ADForest).ForestMode

4
Enable Recycle Bin
To enable the Recycle Bin feature, run the following script. Once the Recycle Bin has
been enabled, any Active Directory object that is deleted will be stored in the
Recycle Bin.

Script for Enabling Recycle Bin

$cfgNameCtx = (Get-ADRootDSE).ConfigurationNamingContext
$recBin = "CN=Recycle Bin Feature,CN=Optional Features,"
$recBin = $recBin + "CN=Directory Service,CN=Windows NT,CN=Services,"
$recBin = $recBin + $cfgNameCtx
$target = (Get-ADDomain).Forest
Enable-ADOptionalFeature -Identity $recBin -Scope ForestOrConfigurationSet -
Target $target -Confirm:$false

AD User Account Restoration Script

$deletedUsers = Get-ADObject -Filter 'name -like "User Name" -and isDeleted -eq
$true' -IncludeDeletedObjects
$deletedUsers | Restore-ADObject

References
Netwrix Plugin for Spiceworks
Netwrix Visibility Academy
Netwrix Auditor for Active Directory
How to Restore Active Directory Users

Subscribe

12 Comments


Cay enn e

Gorfmaster1 Feb 21, 2017 at 8:03pm

I learned about AD Recycle Bin while on the MVA Powershell for AD and It has saved
us a couple times.

Serrano

johncruz3 Feb 21, 2017 at 8:11pm

This has removed more than one headache caused by our helpdesk deleting
accounts that we still needed.

Chipotle

jeffreyweymouth Feb 21, 2017 at 8:37pm

Another page to save in my SpiceWorks Shortcuts folder! Thanks

Datil

Glenn_P Feb 21, 2017 at 9:03pm

@jeffreyweymouth - It's funny that you say that. As I clicked the "add to favorites"
button in my browser I was thinking "Michael needs to write an e-Book on helpful IT
admin tips".


Mac e

BiscuitKing Feb 21, 2017 at 9:23pm

Do all of your domain controllers need to be on the same OS for this to work?

Jal apeno

BigDaddyTex Feb 21, 2017 at 10:23pm

BiscuitKing, looks like they have to be at LEAST 2008 R2...

"Check the domain and forest functional modes using the following commands.
Both must be Windows Server 2008R2 or higher."

So it looks like you could have some running 2012 or whatever, but as long as the
Domain and Forest functional level is at 2008R2 it would work....

That's how I read it anyway.....

Serrano

Dennis72 Feb 21, 2017 at 10:25pm

I remember a few years ago this would've been exceedingly handy info to have at
the ready during problem "X" (we'll just call it that) and I had no way to backpedal
from it. Had to recreate everything that was deleted. Much obliged.


Pimi ento

Ryan5204 Feb 22, 2017 at 7:23pm

For some reason, this is not working for me. I've added a recycle test (username
rtest) and $recyclebin comes up blank, and user is not restored to AD.

Datil

smjain Feb 22, 2017 at 9:27pm

In Windows Server 2012 and later, the Active Directory Administrative Center
(ADAC) (from Server Manager\Tools) the AD Recycle Bin can be enabled via the
GUI.
Open ADAC, click your domain's name, and select Enable Recycle Bin from the
Tasks menu or right-click your domain's name and select Enable Recycle Bin from
the context menu.

You can also view the Recycle Bin here under "Deleted Objects"

Poblano

Chad13 Feb 23, 2017 at 1:05am

ugg..
our environment is Windows2003Domain & Windows2000Forest, we need to
UPGRADE!!


Jal apeno

IT Monkey Mike Feb 23, 2017 at 10:31pm

Does the AD recycle bin have to be enabled before you have a problem, or can this
help recover objects deleted before the AD recycle bin is activated?
(ie: "Bob's" user object is deleted, then AD recycle bin is turned on, will you be able
to recover "Bob's" user object?)

Datil

smjain Mar 2, 2017 at 11:37pm

It needs to be enabled in AD before you delete anything.