Deleted Active Directory User account and the Deleted object store | Basic introduction | Article 1#4 | Part 13#23 5/5 (1)

In the following article, I would like to provide a high-level review on the subject of – “Restoring Soft Deleted Active Directory User account.”

Restore Exchange mailbox | Article Series table of content | Click to expand

Restore Exchange Online deleted mailbox | Article Series

Exchange Online mailbox restore | Articles series table of content
Introduction to the subject of Exchange and deleted mailboxes
01Restore deleted Exchange Online mailbox in Office 365 environment | Prefix | Part 01#23
02Directory Object Deletion and the restore “domino effect + little bit about the concept of the Active Directory Recycle bin | Part 2#23
03What are the possible causes for an Exchange Online mailbox deletion? | Part 3#23
04What are the possible options for recovering Exchange Online mailbox? | Part 4#23
05The Index of the different Exchange Online mailbox restores methods| Part 5#23
Restoring Exchange Online mailbox – cloud only environment
06Restore Exchange Online Room mailbox | Cloud only (Fully Hosted) environment | Part 6#23
07Restore Exchange Online Shared mailbox | Cloud only (Fully Hosted) environment | Part 7#23
08Restore Exchange Online user mailbox | Cloud only (Fully Hosted) environment | Article 1#3 | Part 8#23
09Restore Exchange Online user mailbox | Cloud only (Fully Hosted) environment | Article 2#3 | Part 9#23
10Restore Exchange Online user mailbox | Cloud only (Fully Hosted) environment | Article 3#3 | Part 10#23
Restoring Exchange Online mailbox in Directory synchronization environment
11The special characters of Directory synchronization in an Office 365 environment | Article 1#2 | Part 11#23
12The special characters of Directory synchronization in an Office 365 environment | Article 2#2 | Part 12#23
Restoring user account – On-Premise Active Directory environment
13Deleted Active Directory User account and the Deleted object store | Basic introduction | Article 1#4 | Part 13#23
14How to restore Active Directory deleted user account (Active Directory recycle bin is not enabled) using LDP.EXE | Article 2#4 | Part 14#23
15How to restore Active Directory deleted user account (Active Directory recycle bin is not enabled) using AdRestore, AdRestore.net and LEX – the LDAP explorer | Article 3#4 | Part 15#23
16How to restore Active Directory deleted user account by using Active Directory recycle bin | Article 4#4 | Part 16#23
Restoring Exchange Online mailbox in Directory synchronization environment
17Restore Exchange Online USER mailbox | Directory synchronization environment | The “right way” | Part 17#23
18Prefix – the “Problematic” Exchange Online mailbox restores scenarios in Directory synchronization environment | Part 18#23
19Reviewing the characters of Exchange Online mailbox recovery mistake – New On-Premise Active Directory User Account was created | Part 19#23
20Reviewing the characters of Exchange Online mailbox recovery mistake – Soft Deleted Office 365 was restored | Part 20#23
21Solving an Exchange Online mailbox restore mistake by Restoring the original Soft Deleted Active Directory user | Part 21#23
22Restoring Exchange Online mailbox content to another mailbox using PowerShell command New-MailboxRestoreRequest | Part 22#23
23Solving an Exchange Online mailbox restore mistake Office 365 user was restored – removing the ImmutableID value | Part 23#23

We will review the following subjects:

  1. The method that the Active Directory uses for storing deleted objects such as User account.
  2. The two main Active Directory methods, that we can use for restoring deleted Active Directory objects:
  • Tombstoned objects.
  • Active Directory recycle bin.

Overall, the preferred method is using the option of Active Directory recycle, but the main drawback is that the Active Directory recycle bin is not activated by default. To be able to use the Active Directory recycle bin feature, we will need to activate this option in advance.

In case that we need to restore a Soft Deleted Active Directory object, and the Active Directory recycle bin was not activated, we can revert to the less easy to use option, which described as – restring Tombstoned objects.

Regarding the method of restoring Active Directory objects using Active Directory recycle bin, we will review the available tools and the way we use these tools, in the following articles:

Regarding the method of restoring Tombstoned Active Directory objects, we will review the available tools and the way we use these tools in the following articles:

The mission - Restore Soft Deleted Active Directory User account

Active Directory and Deleted Objects system folder

The Active Directory includes a hidden system partition (folder) named – Deleted Objects.

The Active Directory hidden system partition folder named - Deleted Objects

The purpose of the Deleted Objects folder is – to serve as a “store” for deleted Active Directory objects, such as User account or computer account.

Active Directory will keep the “deleted object” in the Deleted Objects folder for a limited period.
At the end of this period (180 days by default), the deleted objects will be “removed” from the Deleted Objects system folder meaning – permanently delete (described as Hard Deleted).

Associatively, the description of this mechanism can be described as “recycle bin.” bin.”

The “thing” is that Microsoft prefers to use the term “Active Directory recycle bin” for “another feature” that implemented in Windows Server 2008 and above.

The formal Microsoft definition of – “Active Directory recycle bin,” relate to an option, that needs to be “activated” which is based or relies on the Deleted Objects folder.

In case that the “Active Directory recycle bin” mechanism is activated, the restore of Soft Deleted object’s process, will enable us to restore the deleted object, including all the object properties.

Also, the “Active Directory recycle bin” includes tools (PowerShell command and on a Windows 2012 server graphic interface) that enable us to access the Deleted Objects folder and restore the deleted object more easily.

Metaphorically, we can relate to the “Active Directory recycle bin” as the “sophisticated brother” of the Deleted Objects folder feature.

The special Active Directory folder - Deleted Objects -04

Another option that we can use for defined the “Active Directory recycle bin” is – a service that “Built upon” the Deleted Objects folder infrastructure, but add an additional layer of options, which enables us to restore the Soft Deleted object “fully” + extended interface and management capabilities.

Active Directory recycle bin as an additional layer over the existing Deleted object infrastructure

The why the Active Directory saves deleted objects

The mechanism of the Active Directory that store “Deleted Objects,” is implemented automatically in the Active Directory. In other words, we don’t need to implement any configuration setting for “activating” the Active Directory “Deleted Objects” store.

Each time that we delete an Active Directory object such as User account, the object is “sent” to the Active Directory Deleted Objects folder and “stamped” as a – Tombstoned object.

The term “Tombstoned object,” was created for point the fact, that the particular object has a “limited lifetime.”

Note – In case that you are familiar with the DNS term – TTL (Time To Live) that defines the lifetime of a particular DNS record, the tombstone is a similar concept.

Tombstoned objects in Active Directory environment -03

I guess the current phase, you’re a bit confused, so, let’s start with a quote from Microsoft’s article that introduces the topic of – Active Directory “Deleted Objects” and Tombstoned object.

What Is a Tombstone?

When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object’s isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object’s naming context (NC) named CN=Deleted Objects.

The object, now called a tombstone, is invisible to normal directory operations. It does not show up in any Microsoft® Management Console (MMC) snap-ins, and most Lightweight Directory Access Protocol (LDAP) utilities are blissfully unaware of the tombstone’s existence.

The tombstone is, for all intents and purposes, gone. The data, however, is still there—it’s just invisible. So why does Active Directory keep tombstones, otherwise deleted objects, in the database?

While invisible to other processes, a tombstone is visible to the Active Directory replication process. To make sure the deletion performed on all the DCs that host the object deleted, Active Directory replicates the tombstone to the other DCs. Thus the tombstone is used to replicate the deletion throughout the Active Directory environment.

You should note that the CN=Deleted Objects folder is flat and has no object hierarchy. You might think this would cause name conflicts if you deleted two different objects with the same CN. This isn’t the case, though. Since the objectGUID is incorporated into each tombstone’s RDN, each tombstone’s RDN is unique within the CN=Deleted Objects container.

Obviously, objects don’t remain in the CN=Deleted Objects container forever. The default tombstone lifetime is 60 days for forests initially built using Windows® 2000 and Windows Server 2003, and 180 days for forests that were initially built with Windows Server 2003 SP1. You can change the tombstone lifetime by setting the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC=<root domain> object.

Source of information – Reanimating Active Directory Tombstone Objects

Tombstone object versus Active Directory recycle bin object

In case that we need to restore a deleted Active Directory object (Soft Deleted object, if we want to use the more accurate term), we need to “access” the Active Directory “Deleted Objects folder,” and “pull out” the object (change the status of the object to “active”).

If we want to use more technical terms, we need to update the deleted object status
from Tombstoned object into – non Tombstoned object (active object).

The “two issues” with the Tombstoned objects are:

1. The properties of the deleted object not saved

When we delete Active Directory object such as User account, the deleted object, is sent to the Active Directory “Deleted Objects folder,” but most of the object properties are removed (deleted).

In case that we manage to restore the Tombstoned object, all the information that was “attached” to the object such as – Password, E-mail Address, Telephone number, Group membership and more, cannot be recovered!

2. No built-in interface for recovering Tombstoned objects

Also, the Active Directory doesn’t include “built-in tools” that we can use for – “fetching” Tombstoned object from the Active Directory “Deleted Objects folder.”

In the next article, we will review some tools that we can use such as LDP.EXE. But, the LDP.EXE utility not created as a dedicated tool for recovering Tombstoned object, and the way that we use these tools is quite complicated.
Versus the disadvantage of working with Tombstoned objects, the Active Directory recycle bin feature, was built to improve and elaborate, the Active Directory “Deleted Objects folder” infrastructure.

When we activate the Active Directory recycle bin, each time that an object such as User account deleted, the object will continue to kept in the Active Directory “Deleted Objects folder” b, ut this time, all the object properties are kept.

In a scenario in which we recover the deleted Active Directory user account, the user account will restored with his “full properties” such as – Password, E-mail Address, Telephone number, Group membership and so on.

Tombstoned object versus Active Directory recycle bin object

It’s important to mention that, the feature of Active Directory recycle bin is not activated (enabled) by default.

Active Directory recycle bin admin interface

The Active Directory Recycle Bin feature provides us “tools” for implementing the required recovery process from the “Deleted Objects folder.”

  • Case 1 – In case that your Domain controller is – Windows 2008 R2 server, the Active Directory recycle bin “tool” that we use for recovering deleted object from Deleted Objects folder” is – PowerShell commands. In other words, the recovery process implemented via a command line interface.
  • Case 2 – In case that your Domain controller is – Windows 2012 server, the Active Directory recycle bin provides a graphic interface for recovering deleted objects from the “Deleted Objects folder.”

What is the preferred option regarding the subject of restoring Active Directory deleted object?

As mentioned, the need for recovering deleted Active Directory objects can implement by using one of the following options:

  • Tombstoned objects (in case that the Active Directory recycle bin is not enabled).
  • Active Directory recycle bin.

What are the available options for restoring user account -02

Q1: What is the preferred option regarding the subject of – restoring Active Directory deleted objects?

A1: Let’s make it simple – using the Active Directory recycle bin for recovering deleted (Soft Deleted) object is the preferred option.

So why do I bother to spend all this time on the subject of restoring Tombstoned objects?

The option of recovering deleted Active Directory objects using Tombstoned objects is a little primitive, versus the most sophisticated method of Active Directory recycle bin!

The method of restoring Active Directory using Tombstoned objects- as - prehistoric

The simple answer is that sometimes; this is the only option that we have!

In case that we didn’t enable the option of the Active Directory recycle bin, and we must restore a deleted Active Directory object, the only option is – using the Tombstoned objects option.

In some scenarios using the option of Tombstoned objects is the only option

Diagram decisions

Let’s start to recap.

In case that we need to restore a deleted (Soft Deleted) Active Directory object such as User account, the preferred option is – to use the Active Directory recycle bin.

In case that the Active Directory recycle bin was not activated, we will need to restore the deleted object by using the Tombstoned objects option.

Active Directory recycle bin was not enabled

In the next articles-

We will review how to use various tools for recovering deleted Active Directory object in case that the Active Directory recycle bin was not enabled.

We will review three available options

  1. The Active Directory LDP.exe
  2. Sysinternals utility named – AdRestore and his Graphic version.
  3. A third-party-free utility named – LEX – the LDAP Explorer.

Active Directory recycle bin is enabled

We will review the process of recovering Active Directory deleted objects using the following options:

  1. PowerShell command.
  2. Windows 2012 server version – a graphic interface.

Directory Synchronized environment -Restore On-Premise Active Directory User account

In the article – How to restore Active Directory deleted user account by using Active Directory recycle bin | Article 4#4 | Part 16#23, we will review how to restore Active Directory deleted objects by using Active Directory recycle bin.

How can I know if my Active Directory domain has Active Directory recycle bin?

As mentioned, the Active Directory recycle bin needs to be manually enabled (not activated by default).

The central question that can appear in your mind is – How can I know if my Active Directory domain has Active Directory recycle bin?

Can we use Active Directory recycle bin or not

There are two options which we can use for getting the answer to this question:

Option 1 – Using the PowerShell command Get-ADOptionalFeature

Using the PowerShell command Get-ADOptionalFeature, we can verify if the option of the Active Directory recycle bin was activated or not.

The syntax that we need to use is

Get-ADOptionalFeature -Filter ‘name -like “Recycle Bin Feature”‘

The output from this PowerShell command will display a couple of details that relate to the Active Directory recycle bin feature.

The particular property that we are looking for named – EnabledScopes

  • In case that the property – EnabledScopes is “empty,” the meaning is that the Active Directory recycle bin was not activated.
  • In case that the property – EnabledScopes is “populated,” the meaning is that the Active Directory recycle bin was activated.

In the following screenshots, we can see an example of the output of the Get-ADOptionalFeature command.

In the following example, the Active Directory forest \ domain includes Active Directory recycle bin.

How can I tell if 2008 R2 AD recycle bin is turned on – not activated -01

In the following example, the Active Directory forest \ domain doesn’t include Active Directory recycle bin. We can see that the recycle bin was not enabled because the EnabledScopes property is “empty.”

How can I tell if 2008 R2 AD recycle bin is turned on – activated -02

Option 2 – Using the Active Directory administrative center

The another option (and the simpler one) is using the Active Directory administrative center tool.

When we select the domain name (o365info local in our example), we can see on the “right pan” the status of the Active Directory recycle bin.

In our example, we can see that the option named – Enable recycle bin… is not available (dimmed). The meaning is – the Active Directory recycle bin is enabled.

How can I tell if 2008 R2 AD recycle bin is turned on -admin center - activated -01

In our example, we can see that the option named – Enable recycle bin… is available. The meaning is – the Active Directory recycle bin is NOT enabled.

How can I tell if 2008 R2 AD recycle bin is turned on -admin center - not activated -01

Restore Active Directory user using Tombstoned objects versus using Active Directory recycle bin

In this section, I would like to recap all the information that we reviewed in the former sections.

The option for restoring deleted Active Directory objects (Tombstoned objects) in case that the Active Directory recycle bin wasn’t enabled, is always available for us, but we will need to use a suitable “tool” for implementing the restore process.
After we restore the Soft Deleted object, the “restored object such as User account, will include only limited “restored properties” such as – the original GUID, SID and name values.

To be able to use the advantages of Active Directory recycle bin, we will need to Activate ahead the Active Directory recycle bin option.

The main methods for Restoring Active Directory objects -01

Restore Active Directory user using Tombstoned objects

The main reason for restoring deleted Active Directory object by using Tombstoned objects is in a case that we need to restore Active Directory object, and the Active Directory recycle bin was not enabled.

In this scenario, we will need to use the LDP.exe Active Directory utility or other third party restore utility.

Most of the information about the deleted object will not restored!

Restore Active Directory user using Tombstoned objects -02

Restore Active Directory user using Active Directory recycle bin

As mentioned a couple of time, this method is the preferred option because, given that the Active Directory recycle bin was enabled, the restore process can simply implement without the need for “special tools.”
Additionally, the restored object will include all the “original properties” that were attached to the Active Directory object such as – Password, Group membership, user information and so on.

Restore Active Directory user using Active Directory recycle bin -03

Additional reading

AdRestore tool

AdRestore .NET

Using the LDP utility

Active Directory recycle bin

Restore Exchange Online mailbox | Article series index

Now it’s Your Turn!
It is important for us to know your opinion on this article

Summary
Article Name
Deleted Active Directory User account and the Deleted object store | Basic introduction | Article 1#4 | Part 13#23
Description
In the following article, I would like to provide a high-level review on the subject of – "Restoring Soft Deleted Active Directory User account."
Author
Publisher Name
o365info.com
Publisher Logo

Please rate this

Print Friendly

Related Post

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

Leave a Reply

Your email address will not be published. Required fields are marked *