Skip to content

How to restore Active Directory deleted user account (Active Directory recycle bin is not enabled) using AdRestore, AdRestore.net and LEX – the LDAP explorer | Article 3#4 | Part 15#23

In the current article, we will review the process of restoring Active Directory deleted a user, in a scenario in which the Active Directory recycle bin was not enabled (activated).

In the previous article, we review the restore process by using a built-in windows server tool named – LDP.EXE.

In the current article, we review how to restore the Active Directory deleted the object by using third party utilities (non-Microsoft software).

The main advantages of these tools are:

  • In case that we didn’t enable (activate) the option of Active Directory recycle bin; we still have the ability to restore Soft Deleted Active Directory object such as “user account.”
  • The interface and the restore process using these “tools” (especially the tools that provide graphical interface), consider as easier or, more user-friendly vs. the use of the LDP.EXE tool.

In the current article, we review the following tools:

  1. AdRestore – Nice and simple command tool that was created by Mark Russinovich (Sysinternals)
  2. AdRestore.net – Nice graphic version of the AdRestore utility written by Gil Kirkpatrick.
  3. LEX – the LDAP explorer – free and very useful graphic utility that that I found.

Restoring Active Directory object by implementing – Reanimating Active Directory Tombstone Objects

Just a quick reminder regarding the concept of Active Directory Deleted object store.

The ability to restore Active Directory deleted objects, is made possible by a built-in Active Directory mechanism described as – Active Directory Deleted object store.

In an Active Directory environment, when the object deleted, the object is not permanently deleted. Instead, in case that the Active Directory recycle bin was not enabled, the “deleted object” will be stored, in a special Active Directory folder named – Deleted object.

Most of the properties of the “Deleted object” will be removed (stripped) beside a very limited set of properties such as – GUID, SID, and Name.

The deleted object will be considered as – “Soft Deleted.” Another technical term for describing the Soft Deleted object identity – Tombstone Object.

The process in which we restore Tombstone Object described as – Reanimating.

In the next section, we will demonstrate how to use the LDP.EXE tool for implementing the concept of “Reanimating Active Directory Tombstone Object” (recover Soft Deleted Active Directory objects).

1#3 | Restoring Active Directory user account using the AdRestore command line tool

In the following section, we demonstrate the way that we use the AdRestore command line tool utility for – restoring Soft Deleted Active Directory user account.

Scenario description

  • Lady Gaga is an organization’s user (Active Directory user) that was created in the Active Directory organizational unit named – Famous singers.
  • Lady Gaga Active Directory user account was deleted!

The mission

Restore Lady Gaga Active Directory user account!

The solution

We will use the AdRestore utility for:

  • View the content of the Active Directory Deleted object
  • Locate the specific Soft Deleted user account (Lady Gaga user account).
  • Restore the Soft Deleted user account to his original organization unit.
Simulating the user deletion event in Active Directory -ADRestore -01

First steps

  • Download the AdRestore utility
  • The AdRestore tool is just a single command line executable file (no need to install).
  • The use the AdRestore tool, we just need to open a command prompt and access the path in which the AdRestore tool is stored.

Given that we provide the path to the AdRestore tool, when we type the name of the executable file – AdRestore, the AdRestore tool automatically displays a list of all the Soft Deleted objects (Tombstone Objects) stored in the Active Directory folder named – Deleted object.

Using AdRestore for restoring Active Directory user account -01

In our example, the Active Directory folder – Deleted object, include only two Soft Deleted user accounts.

Using AdRestore for restoring Active Directory user account -02

The only parameter that the AdRestore tool provides is the “-r” (restore).
In case that we add the “-r” parameter, AdRestore tool will start an automatic restore process, in which he will “loop” via the existing Soft Deleted list, and try to restore each of the Soft Deleted objects. The AdRestore tool will ask for a confirmation to restore the Soft Deleted object, for each of the Soft Deleted that appear in the list.

Using AdRestore for restoring Active Directory user account -03

In our example, we will not approve the restore process (we choose the “n” letter for NO) because we need to restore only a particular Soft Deleted Active Directory user account (Lady Gaga user account).

Using AdRestore for restoring Active Directory user account -05

In case that we want to restore only a specific Soft Deleted object, we will use the following syntax:

AdRestore -r

In our example, we ask to restore the Soft Deleted Active Directory user account of a user named: lady

Using AdRestore for restoring Active Directory user account -06

In the following screenshot, we can see that the restore process successfully completed.

Using AdRestore for restoring Active Directory user account

Dealing with a scenario of – multiple Soft Deleted user account with “identical identity”

In this section, I want to relate to a complicated scenario, in which we need to restore the Soft Deleted user account, but the “issue” is that the Active Directory Deleted object store includes two (or more) seemingly identical user accounts.

This type of scenario can realize in case that the Active Directory user account was deleted and created a couple of times.

For example,

  • The Active Directory user is created and then deleted (Soft Deleted).
  • After a while, an Active Directory user with the same display name and E-mail address is created again as a NEW Active Directory user.
  • After a while, The NEW Active Directory user account is deleted.

In this case, the Active Directory recycle bin will include two seemingly identical user accounts.

I use the term “seemingly identical” because, the two Soft Deleted user accounts have the same display name, E-mail address but there are not identical!

The “real differences” between the seemingly identical Soft Deleted user account are:

  1. The unique identifiers – the GUID and the SID value.
  2. The created and updates values – the “creation date” (WhenCreated), and “deletion date” (WhenChanged).

Note – notice that the Active Directory doesn’t use a specific property such as “when deleted.”
Instead, the property that “tell us” when was the object deleted is – WhenChanged.

To be able to demonstrate such case, let’s use the following scenario:

  • Lady is an organization’s user (Active Directory user) that was created in the Active Directory organizational unit named – Famous singers.
  • Lady Active Directory user account was deleted!
  • After a while, the Active Directory administrator, create a NEW Active Directory user account for Lady, with the same details as the previous user account the was deleted such as – the same display name, E-mail address and so on.
  • After a while, The NEW Lady Active Directory user account was deleted!

In the following screenshot, we can see two seemingly identical user accounts.

The disadvantage of the AdRestore tool is that he presents a very minimal set of the Soft Deleted object properties.

An example of the “missing” property is – “creation date” (WhenCreated) and “deletion date” (WhenChanged).

In this type of scenario, we will need to use another restore Soft Deleted Active Directory object’s tools. In other words, we cannot use the AdRestore tool in this type of “complicated to restore scenario.”

Using AdRestore for restoring Active Directory user account -07

2#3 | Restoring Active Directory user account using AdRestore.NET

In the following section, we demonstrate the way that we use the AdRestore.NET utility for – restoring Soft Deleted Active Directory user account.

The main advantage of the AdRestore.NET is that this tool provides a graphical interface to improve the process of locating and restarting Soft Deleted Active Directory object considerably. Also, this tool provides additional information about the Soft Deleted properties such as the property – WhenCreated.

Scenario description

  • Britney Spears is an organization’s user (Active Directory user) that was created in the Active Directory organizational unit named – Famous singers.
  • Britney Spears Active Directory user account was deleted!

The mission

Restore Britney Spears Active Directory user account!

The solution

We will use the AdRestore.NET utility for:

  • View the content of the Active Directory Deleted object
  • Locate the specific Soft Deleted user account (Britney Spears user account).
  • Restore the Soft Deleted user account to his original organization unit.
Simulating the user deletion event in Active Directory -ADRestore.net -01

First steps

As far as I know, the link for downloading the AdRestore.net utility is not active anymore.

I found a “download link” in the article – Recover deleted Active directory user account and restore Mailbox in Server 2008 and Exchange 2010

To be able to view the content of the Active Directory folder – Deleted object, click on
the Enumerate Tombstones button.

Using AdRestore.net for restoring Active Directory user account -01

In the following screenshot, we can see the list of existing Soft Deleted objects

Using AdRestore.net for restoring Active Directory user account -02

In our scenario, we would like to restore the Soft Deleted user account of a user named – Britney

We will need to select the specific user account (number 1) and click on the Restore Object button (number 2).

Using AdRestore.net for restoring Active Directory user account -03

The user account successfully restored.

Using AdRestore.net for restoring Active Directory user account -04

We can see that the restored user account “disappear” from the Soft Deleted object list.

Using AdRestore.net for restoring Active Directory user account -05

In the following screenshot, we can see that – Britney user account, was successfully restored to his original organization unit and that now, Britney considers as an “Active user account.”

Using AdRestore.net for restoring Active Directory user account -06

Dealing with a scenario of – multiple Soft Deleted user account with “identical identity”

In this section, I want to relate to a complicated scenario, in which we need to restore the Soft Deleted user account, but the “issue” is that the Active Directory Deleted object store includes two (or more) seemingly identical user accounts.

This type of scenario was described in the previous section.

Scenario 2 - Two (or more) Soft Deleted user accounts with the same CNcommon name

The good news is, that the ADRestore.NET tool, “know” how to display additional information about Soft Deleted objects, which will help us to deal with a complicated scenario in which we have two (or more) seemingly identical user accounts.

The mission

In our example, there are two “Britney Soft Deleted user accounts.”
Our mission is – to restore the original Britney user account, meaning – Britney Active Directory user account, that was created before the “additional Britney user account” that was created at a later stage.

In the following screenshot, we can see that in this example, there are two Soft Deleted users accounts the “look the same.”

Using AdRestore.net for restoring Active Directory user account -07

To be able to locate the “original Active Directory user account,” we will look at the properties of each Soft Deleted object.

To be able to identify which is the “original user account,” we will use the value stored in the property – WhenCreated.

We look at the properties of “Britney Soft Deleted user accounts” that marked as – Number 1.

The date of the user account creation (WhenCreated) is – 10/10/2016 10:08:58 AM

Using AdRestore.net for restoring Active Directory user account -08

When we look at the properties of “Britney Soft Deleted user accounts” that is marked as – Number 2, we can see that the date of the user account creation (WhenCreated) is – 10/10/2016 10:00:46 AM

The meaning is that this user account (number 2) created before the previous user account (number 1), and the conclusion is that this Soft Deleted user account is the “original user account.”

Using AdRestore.net for restoring Active Directory user account -09

3#3 | Restoring Active Directory user account using LEX – the LDAP explorer

In the following section, we demonstrate the way that we use the LEX – the LDAP explorer utility for – restoring Soft Deleted Active Directory user account.

Scenario description

  • Miley Cyrus is an organization’s user (Active Directory user) that was created in the Active Directory organizational unit named – Famous singers.
  • Miley Cyrus Active Directory user account was deleted!

The mission

Restore Miley Cyrus Active Directory user account!

The solution

We will use the LEX – the LDAP explorer utility for:

  • View the content of the Active Directory Deleted object
  • Locate the specific Soft Deleted user account (Miley Cyrus user account).
  • Restore the Soft Deleted user account to his original organization unit.
Simulating the user deletion event in Active Directory -LEX – the LDAP explorer -01

The mission

Restore Miley Cyrus Active Directory user account!

First steps

In the following screenshot, we can see that the LEX – the LDAP explorer displays a list of the existing Active Directory organizational units.
The “catch” is that by using the LEX – the LDAP Explorer, we can see an “additional organizational unit” that hidden by default – the Deleted Objects organization unit.

An anther interesting feature of the LEX – the LDAP explorer utility is, that the list of the “deleted object” includes information about – Soft Deleted Active Directory objects and also, “Hard Deleted” Active Directory objects.

  • An Active Directory object considers as Soft Deleted object if the property – IsDeleted value is TRUE
  • An Active Directory object considers as Hard Deleted object (non-recoverable) if the property – IsDeleted value is TRUE and in addition the property – isRecycled is also TRUE

The information about the “Hard Deleted” Active Directory object is just for general information because we cannot recover Active Directory objects that considered as “Hard Deleted”.

Restoring Active Directory user account using LEX – the LDAP explorer -01

In case that we want to create a more comfortable view of the Soft Deleted objects, we can use the Filter option.

Restoring Active Directory user account using LEX – the LDAP explorer -02

To recover as particular Soft Deleted user account, we need to:

  • Select the User account name whom you need to restore
  • Select the option: Recover the objects in their original container
Restoring Active Directory user account using LEX – the LDAP explorer -03

In the following screenshot, we can see that the User account successfully restored!

Restoring Active Directory user account using LEX – the LDAP explorer -04

An additional nice feature of the LEX – the LDAP explorer utility is, the ability to change the default value that the Active Directory assigns for the tombstone objects.

When choosing the setting icon, we can see the configuration screen that enables us to set the
default tombstone lifetime.

Restoring Active Directory user account using LEX – the LDAP explorer -05

In the following screenshot, we can see that – Miley user account, was successfully restored to his original organization unit and that now, Miley considers as an “Active user account.”

Restoring Active Directory user account using LEX – the LDAP explorer -06

The next article in the current article series

How to restore Active Directory deleted user account by using Active Directory recycle bin | Article 4#4 | Part 16#23

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *