Skip to content

How to restore Active Directory deleted user account (Active Directory recycle bin is not enabled) using LDP.EXE | Article 2#4 | Part 14#23

In the current article, we will review the process of restoring Active Directory deleted the user in a scenario in which the Active Directory recycle bin was not enabled (activated). We will review how to restore deleted Active Directory object using a built-in Windows server tool named LDP.EXE.

The LDP.EXE was not created as a “dedicated tool” for restoring Active Directory deleted object. However, we can take advantage and use the advanced capabilities of this tool to “talk” with the Active Directory, search for an Active Directory object, and updated existing Active Directory objects.

For example, we will use the ability of the LDP.EXE tool for connecting the Active Directory using LDAP, and “expose” the hidden by default system folder named – Deleted object.

In the first phase, we will use the LDP.EXE as a “browser tool” that enables us to view the content of the Active Directory Deleted object store and locating and selecting a specifically deleted object.

The next phase will be – change the status of the Soft Deleted user object from a status of Tombstoned object, into a NEW status that can be described as – non-Tombstoned object.

In other words – restore the deleted object (change the status of the Soft Deleted object to – Active).

Restoring Active Directory object by implementing – Reanimating Active Directory Tombstone Objects

Just a quick reminder regarding the concept of Active Directory Deleted object store.

The ability to restore Active Directory deleted objects, is made possible by a built-in Active Directory mechanism described as – Active Directory Deleted object store.

In an Active Directory environment, when an object is deleted, the object is not permanently deleted. Instead, in case that the Active Directory recycle bin was not enabled, the “deleted object” will be stored, in a special Active Directory folder named – Deleted object.

Most of the properties of the “Deleted object” will be removed (stripped) beside a very limited set of properties such as – GUID, SID, and Name.

The deleted object will be considered as – “Soft Deleted.” Another technical term for describing the Soft Deleted object identity – Tombstone Object.

The process in which we restore Tombstone Object described as – Reanimating.

In the next section, we will demonstrate how to use the LDP.EXE tool for implementing the concept of “Reanimating Active Directory Tombstone Object” (recover Soft Deleted Active Directory objects).

You can read more information about the concept of Active Directory and deleted object in the article – Deleted Active Directory deleted User account and the Deleted object store | Basic introduction | Article 1#4 | Part 13#23

Scenario description

To be able to demonstrate the way that we use the LDP.EXE utility for – restoring Soft Deleted Active Directory user account, let’s use the following scenario:

  • Katy Perry is an organization user (Active Directory user) that was created in the Active Directory organizational unit named – Famous singers.
  • Katy Perry Active Directory user account was deleted!
  • The Active Directory “local domain name” is – local
  • The Active Directory server (Domain controller) name is – DC01
Our example - The Domain infrastructure

The mission

Restore Katy Perry Active Directory user account!

The solution

We will use the LDP.EXE utility for:

  • View the content of the Active Directory Deleted object
  • Locate the specific Soft Deleted user account (Katy Perry user account).
  • Restore the Soft Deleted user account to his original organization unit.
Restore a deleted Active Directory user object using Ldp.exe -scenario description - 01

Using LDP utility for restoring Soft Deleted Active Directory user

The LDP.EXE utility is installed by default as part of Windows server. To “call” the LDP.EXE utility, we use the command prompt.

It’s important that we activate the command prompt as administrator

  • Right-click on the command prompt and select the menu option – Run as administrator
Restore a deleted Active Directory user object using Ldp.exe - 01
  • Type the file name – LDP.exe
Restore a deleted Active Directory user object using Ldp.exe - 02

In the following screenshot, we can see the “empty content” of the LDP utility.

Restore a deleted Active Directory user object using Ldp.exe - 03

Phase 1#4 – connect the LDP utility to the local Active Directory

In the first phase, we need to connect a Domain controller server (Domain controller is the server who holds a copy of the Active Directory).

  • Select the Connection menu and then the Connect… menu
Restore a deleted Active Directory user object using Ldp.exe - 04
  • In the server box, type the name of Domain controller server. In our example, we connect a domain comptroller server named- DC01.
  • Leave the default settings and click OK
Restore a deleted Active Directory user object using Ldp.exe - 05

In the following screenshot, we can see that the LDP utility successfully manages to connect the DC server. In the “right pen,” we can see information that was ”fetched” from the Active Directory.

Restore a deleted Active Directory user object using Ldp.exe - 06

To complete the connection with the Domain controller server, we will need to verify the existing user credentials.

  • Select the Connection menu and then Bind… menu
Restore a deleted Active Directory user object using Ldp.exe - 07

The default option is – Bind as currently logged on user. In our example, we log in using the domain Administrator user account. So, in this case, we will leave the default option (we don’t need to provide another set of user credentials).

Restore a deleted Active Directory user object using Ldp.exe - 08

Phase 2#4 – define the specific view required for displaying the content of the Active Directory Deleted object folder

In this phase, we configure the LDP utility to “connect” the hidden Active Directory folder named – “Deleted object,” that store all the existing Soft Deleted Active Directory objects.

  • Select the menu Options and the sub menu – Controls
Restore a deleted Active Directory user object using Ldp.exe - 09
  • To define the require “view” (display the Soft Deleted object), we will use the Load Predefined drop-down list.
Restore a deleted Active Directory user object using Ldp.exe - 10
  • In the Active Controls dialog box, expand the Load Predefined drop-down list, click Return Deleted Objects, and then click OK.
Restore a deleted Active Directory user object using Ldp.exe - 11
  • Click OK.
Restore a deleted Active Directory user object using Ldp.exe - 12

Phase 3#4 – view the Active Directory “tree.”

To be able to view the Active Directory Hierarchy tree, we will use the Tree menu

  • Select the View menu and then the Tree menu
Restore a deleted Active Directory user object using Ldp.exe - 13

Now, we will need to “tell” the LDP utility, to what Active Directory “partition” we would like to connect.

We define the name of the Active Directory domain partition in the BaseDn box using x.500 LDAP syntax.

We can type the required “path” by entering the information manually or select the required Active Directory domain partition from the drop-down list.

Restore a deleted Active Directory user object using Ldp.exe - 14
  • Click on the small black arrow that appears on the right side of the BaseDn box
  • Select from the list your Active Directory domain name.

In our example, the domain partition \ path is – DC=o365info, DC=local

Restore a deleted Active Directory user object using Ldp.exe - 15
  • Select the required domain name and click OK
Restore a deleted Active Directory user object using Ldp.exe - 16

On the left side, we can see that the LDP utility connected to the root domain partition
(DC=o365info, DC=local in our example).

  • Click on the plus sign to expand the content
Restore a deleted Active Directory user object using Ldp.exe - 17

In the following screenshot, we can see the hierarchical structure of the Active Directory.

In our example, the path of the Deleted Objects is:

CN=Deleted Objects, DC=o365info, DC= local

To view the content of the Active Directory tree, click on the plus sign (number 1).

Notice that now we can see the folder that is hidden by default – the Active Directory Deleted Objects folder.

To view the content of the Active Directory Deleted Objects folder, click on the plus sign (number 2).

“Beneath” the Active Directory Deleted Objects folder, we can see the list of the existing Soft Deleted objects.

Restore a deleted Active Directory user object using Ldp.exe - 18

Phase 4#4 – restore the Soft Deleted user account

As mentioned, in our example, we would like to restore Katy’s Soft Deleted user account.

  • Locate the required Soft Deleted object (Katy Soft Deleted user account in our example),
    right click and select – Modify.
Restore a deleted Active Directory user object using Ldp.exe - 19

In the Modify dialog box:

  • In Edit Entry Attribute, type isDeleted.
  • Leave the Values box empty
Restore a deleted Active Directory user object using Ldp.exe - 20
  • Under Operation, click Delete, and then click Enter.
Restore a deleted Active Directory user object using Ldp.exe - 21
  • In Edit Entry Attribute box, type distinguishedName
  • In Values, type the original distinguished name (also known as DN) of this Active Directory object.
Restore a deleted Active Directory user object using Ldp.exe - 22

The instructions say – “type the original distinguished name (also known as DN).” But I’m sure that most of us, are not familiar with this term.

Even if we know the meaning of this term, most of the time, we don’t know what the exact “original distinguished name is.”

To be able to “fetch” the value of the “original distinguished name,” we need to perform a “small digging” in the Soft Deleted properties that exist in the right pane of the LDP utility display.

The information about the “original distinguished name” is divided into two parts:

Part 1#2 – lastKnownParent

We will look for a value named – lastKnownParent

In our specific scenario, the value is-
lastKnownParent: OU=Famous Singers,DC=o365info,DC=local;

Restore a deleted Active Directory user object using Ldp.exe - 23

Part 2#2

Look for a value named – CN

In our particular scenario, the CN value is – CN=Katy Perry

Restore a deleted Active Directory user object using Ldp.exe - 24

The value of the “original distinguished name” is implemented by “gluing” the two parts.

In the following diagram, we can see the “structure” which we need to use:

Restore a deleted Active Directory user object using Ldp.exe - 24-2

In our example, the value of the “original distinguished name” is:

CN=Katy Perry,OU=Famous Singers,DC=o365info,DC=local

In simple words, this is the “Active Directory address” that defines the location of the Soft Deleted Katy’s user account.

Restore a deleted Active Directory user object using Ldp.exe - 25
  • Under Operation, click Replace (number 1)
  • Click Enter (number 3)
  • Make sure that the Extended check box is selected (number 2)
Restore a deleted Active Directory user object using Ldp.exe - 26
  • Click Run (number 4)
Restore a deleted Active Directory user object using Ldp.exe - 27

In the following screenshot, we can see that when looking at the Famous Singers OU, we can see that the Soft Deleted User account successfully restored!

Restore a deleted Active Directory user object using Ldp.exe - 28

Dealing with a scenario of – multiple Soft Deleted user accounts with “identical identity.”

In this section, I want to relate to a complicated scenario, in which we need to restore the Soft Deleted user account, but the “issue” is, that the Active Directory Deleted object store includes two (or more) seemingly identical user accounts.

This type of scenario can realize in case that the Active Directory user account was deleted and created a couple of times.

For example,

  • The Active Directory user is created and then deleted (Soft Deleted).
  • After a while, an Active Directory user with the same display name and E-mail address is created again as a NEW Active Directory user.
  • After a while, The NEW Active Directory user account is deleted.

In this case, the Active Directory recycle bin will include two seemingly identical user accounts.

I use the term “seemingly identical” because, the two Soft Deleted user accounts have the same display name, E-mail address but there are not identical!

The “real differences” between the seemingly identical Soft Deleted user account are:

  1. The unique identifiers – the GUID and the SID value.
  2. The created and updates values – the “creation date” (WhenCreated), and “deletion date” (WhenChanged).

Note – notice that the Active Directory doesn’t use a specific property such as “when deleted.”
Instead, the property that “tell us” when was the object deleted is – WhenChanged.

To be able to demonstrate such case, let’s use the following scenario:

  • Katy Perry is an organization’s user (Active Directory user) that was created in the Active Directory organizational unit named – Famous singers.
  • Katy Perry Active Directory user account was deleted!
  • After a while, the Active Directory Administrator, create a NEW Active Directory user account for Katy Perry, with the same details as the previous user account the was deleted such as – the same display name, E-mail address and so on.
  • After a while, The NEW Katy Perry Active Directory user account was deleted!

The mission

We were asked to restore the “original” Katy Perry Active Directory user account!
In other words, the Katy Perry Active Directory user account, that was created before the NEW Katy Perry user account.

The solution

To be able to fulfill this requirement, we will use the LDP.EXE utility for:

  • View the content of the Active Directory Deleted object
  • Locate the specific two Soft Deleted user accounts, meaning – the “original Katy Soft Deleted user account,” and the NEW Katy Soft Deleted user account).
  • Locate the “WhenCreated” (the creation Date of the Active Directory object) of each Soft Deleted Katy user accounts.
  • Comparison between the values of the “WhenCreated,” and locate to the older “WhenCreated.”
  • Restore the “original” Soft Deleted user account to his original organization unit.

In other words, we want to restore the user account that his “creation date” (WhenCreated) is earlier than the “creation date” (WhenCreated) of the NEW user account that was created at a later stage.

In this case, we need to “fetch” this information in some way and based on this information, “address” the particular Soft Deleted user account that we want to restore.

In the following screenshot, we can see when we use the LDP.EXE for viewing the content of the Active Directory Deleted Objects; we can see Two instances of the Soft Deleted Katy user account.

Multiple Soft Deleted user account with identical identity LDP resore user -01

As mentioned, to be able to differentiate between these two seemingly identical user accounts, we will look for the value of the – “WhenCreated” (the Creation Date of the Active Directory object).

We randomly select one of the Soft Deleted “Katy user accounts.”

In our specific example, we select the “bottom” Soft Deleted Katy’s user account (number 1).

In the right pen, we look for the property named – “WhenCreated

Multiple Soft Deleted user account with identical identity LDP resore user -02

The value of “WhenCreated” is – 10/10/2016 4:56:34 AM

Multiple Soft Deleted user account with identical identity LDP resore user -03

We will implement the same procedure with the “second Soft Deleted Katy’s user account” (number 2).

In the right pen, we look for the property named – “WhenCreated

Multiple Soft Deleted user account with identical identity LDP resore user -04

The value of “WhenCreated” is – 10/10/2016 12:05:18 AM

Multiple Soft Deleted user account with identical identity LDP resore user -05

To be able to decide who is the “original” Active Directory user account, we compare the creation date of the two Soft Deleted user accounts.

In the following diagram, we can see that booth of this Active Directory user account was created on the same day (10/10/2016) but…

The Katy Soft Deleted user accounts the we “stamp” as number 2, created at an earlier hour.

And the answer is – that this user account is the “original Active Directory user account”!

Multiple Soft Deleted user account with identical identity LDP resore user -06

The next article in the current article series

How to restore Active Directory deleted user account (Active Directory recycle bin is not enabled) using AdRestore, AdRestore.net and LEX – the LDAP explorer | Article 3#4 | Part 15#23

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *