This website uses cookies to ensure you get the best experience on our website. Learn more
How to recover a deleted Active Directory object
Most organizations today are still running Active Directory on-premises as their identity and access management solution. Many businesses are also synchronizing it with cloud directories as part of a hybrid configuration. Recovering Active Directory and deleted objects is an important part of an overall disaster recovery strategy – so let’s look at how to recover a deleted Active Directory account step-by-step.
Disaster recovery for Active Directory is extremely important
Businesses need to give due attention to Active Directory as part of their overall disaster recovery strategy. Since Active Directory is usually the central identity and access management solution in the enterprise datacenter, losing access to it can cause major issues.
If most organizations are running Active Directory on-premises, they synchronize their directories with cloud directories like Microsoft Entra ID. So, maintaining access to Active Directory Domain Services is important. Internal apps may use SQL Server connections, which rely on Microsoft Active Directory for service principal names. If Active Directory goes down, these will likely have issues.
Active Directory recycle bin
The Active Directory recycle bin is a key part of a strategy to be able to easily recover Active Directory objects that have been deleted. However, it first needs to be enabled. What exactly is the Active Directory recycle bin? The Active Directory recycle bin is a special container in Active Directory that was introduced with Windows Server 2008 R2 and newer domain controllers. When you enable it, deleted Active Directory objects are stored in the recycle bin for the configured amount of time.
How long do objects stay in recycle bin?
It’s important to understand how long objects stay in the Active Directory recycle bin in case you need to recover them. There’s an attribute configured in Active Directory that determines the period of time objects remain in the recycle bin. The attribute is the tombstoneLifetime. You can configure this to a custom value. However, the default values for this value are the following:
- Windows Server 2008 R2 and later: The default tombstone lifetime is 180 days.
- Older versions: The default tombstone lifetime is 60 days.
You can check the value that is configured for your domain with PowerShell. Run the following from one of your domain controllers, replacing the domain portion with the values for your domain:
Get-ADObject -SearchBase "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -Filter * -Property tombstoneLifetime | Select-Object -ExpandProperty tombstoneLifetime
Below, you can see the value of 180 days in the test domain.
So, just note that the recycle bin will not keep objects around forever. You will need to decide whether or not you want to restore these objects during the tombstone lifetime interval.
Configuring Active Directory recycle bin
Now, let’s look briefly at configuring the Active Directory recycle bin and how this is done. First, navigate to and open the Active Directory Administrative Center. Then on the right hand side under the Tasks pane, you will see the option to Enable Recycle Bin.
Once you click to Enable the Recycle Bin, you will see the Enable Recycle Bin Confirmation dialog box. Click OK on the box to enable it. As the message reads, it is important to note that once enabled, it cannot be disabled.
You will need to give replication time to replicate the changes across your domain if you have multiple domain controllers.
Once you have enabled it, if you refresh your Active Directory Administrative Center interface, you will now see the Enable Recycle Bin link is greyed out:
Now that we have the Active Directory recycle bin enabled, we can look at the process to use it to recover a deleted AD object.
Recovering a deleted AD object
Let’s say that an admin accidentally or intentionally deleted the wrong users from Active Directory. Or, maybe an automated script wasn’t tested and it targeted the wrong users. The objects get deleted. Often disaster recovery events do not come from malicious users or behavior, but accidental deletions and other actions.
If we go back to the Active Directory Administrative Center, we will see that we have a folder under the Domain called Deleted Objects. This is the special container that is created when we enable the Active Directory recycle bin.
Now, if we double click the folder, we will see any objects that have been deleted within the 180 day tombstone interval (in this example domain). If we double-click the special folder in the administrative center, we will see the two objects that were deleted.
If we click and select the users, and then right-click, we get the options to ‘restore’ or ‘restore to’:
- Restore – will restore the objects to the same location in Active Directory
- Restore to – will give you the option to select where you want to restore the objects
If we select to restore, the objects will disappear as they have been restored back to the original location.
Before refreshing Active Directory Users and Computers, we see that testuser and testuser1 are not there:
After we refresh the view of the OU in ADUC, we can see the two users appear once again.
Using PowerShell for the recycle bin
We can also use PowerShell to interact with the Active Directory recycle bin. You can use the cmdlet below to browse objects:
Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects -Property * | Format-List Name,ObjectGUID,Deleted,DistinguishedName
This will return a list of deleted objects that you can then use to restore using PowerShell. You can restore an object with PowerShell using the ObjectGUID or the Distinguished Name using the following cmdlets.
Restore-ADObject -Identity <ObjectGUID> Restore-ADObject -Identity "CN=Your User,OU=Users,DC=yourdomain,DC=com"
Limitations of the Active Directory recycle bin
There are a few limitations of the AD recycle bin to be aware of when using it for a type of disaster recovery in your environment. These include the following limitations:
- The AD recycle bin is not enabled by default. So, if it isn’t enabled before the deletion event, it won’t help you
- It doesn’t protect you against hardware failure of your domain controllers
- It doesn’t store any set of “versions” of the object
- It only stores the last version of the deleted object and does not allow you to rollback changes of object attributes
Businesses need to recognize these limitations and have the means to back-up and restore their Active Directory infrastructure using other data protection tools. While it isn’t a back-up of your Active Directory, the recycle bin can work in conjunction with back-ups as a very quick and easy way to recover objects when needed.
Keep your Active Directory secure
Recovering Active Directory objects is an extremely important task that may come up from time to time. The Active Directory recycle bin is a built-in tool you can enable, which allows quick recovery of AD objects. You can easily enable this with the Active Directory Administrative Center and also recover objects from there as well. As expected, you can also use PowerShell to interact with the Active Directory recycle bin. Be aware of the limitations of the AD recycle bin, such as no versioning and the fact that you can’t granularly restore attributes.
In addition to making sure you are backing up your Active Directory objects and using things like the AD recycle bin, increasing password security across the board is a great way to make sure your Active Directory environment is more secure. Specops Password Policy continuously scans your Active Directory against our database of 4 billion unique compromised passwords, alerting end users if they’re using breached credentials. Try a live demo and see how Specops Password Policy could fit in with your organization.
Any questions related to securing your Active Directory? We’d be happy to help – speak to an expert today.
(Last updated on November 14, 2024)