Skip to content

How to restore Active Directory deleted user account by using Active Directory recycle bin | Article 4#4 | Part 16#23

In the current article, we review the process of restoring a deleted user account by using the Active Directory recycle bin. Technically speaking, the Active Directory recycle bin, can be used for restoring any type of “Active Directory object” such as – user account, computer account, group account and so on.

The purpose of this article is, to focus on the process that we use for restoring an Active Directory User account.

Active Directory recycle bin | What is the meaning?

One of the most common misconceptions regarding the Active Directory recycle bin is, that the purpose of the Active Directory recycle bin is to create a “dedicated store” that will use for storing Active Directory deleted objects, and as a mechanism for restoring deleted Active Directory objects to an active state.

I define this assumption as “misconception” because the Active Directory has a “dedicated store” that will use for storing Active Directory deleted objects even when the Active Directory recycle bin not activated. (Active Directory recycle bin not enabled by default).

In other words, we don’t need the Active Directory recycle bin for – storing deleted Active Directory objects.

Q1: So, what is the actual need of the Active Directory recycle bin?

A1: As mentioned in an earlier article, the Active Directory “know” how to save deleted Active Directory object in a hidden folder named – Deleted object folder. The “problem” is that when we delete Active Directory objects, and the object is “sent” to the Deleted object folder, most of the deleted object properties are not saved.
Also, the Active Directory doesn’t include a built-in tool that will assist us to recover deleted objects when necessary (access to the Deleted object folder and “fetch” Soft Deleted objects).
When the Active Directory recycle bin is enabled, the “deleted Active Directory object management,” significantly improved.

1. Save the complete information about Soft Deleted Active Directory objects.

When an Active Directory object deleted, the “deleted object” saved in the Deleted object folder, but now, all the properties of the deleted object kept.

2. Restore interface

The Active Directory Recycle Bin provides “tools” that helps us to access the Deleted Object folder store and restore the required Soft Deleted object.

Active Directory recycle bin - What is the meaning

Active Directory recycle bin the different interfaces

The Active Directory Recycle bin “interface” that we use for implementing the task of restoring Soft Deleted object depend on the Windows server OS version.

Windows Server version 2008 R2

In case that the server version is Windows 2008 R2, after we enable the option of Active Directory recycle bin, a specific PowerShell command named Restore-ADObject “activated”. The purpose of this PowerShell command is, to help us to “pull” Soft Deleted Active Directory objects from the Deleted object folder, and restore them to their original location (organization unit).

Window Server 2012 and advanced windows server versions

The good news is that Window Server version 2012 and advanced windows server versions include a graphical interface for managing the Active Directory recycle bin.

Although that the PowerShell interface has more powerful options, most of the time, the option that exists in the graphic interface will “do the job.”

  • In the first part of the current article, we review the Active Directory recycle bin management via the PowerShell interface.
  • In the second part of the current article, we review the Active Directory recycle bin management via the graphic interface.
Active Directory recycle bin - Restore objects - Available interfaces

Managing Active Directory recycle bin by using PowerShell

In the current section, we review how to use the Active Directory recycle bin for restoring Soft Deleted Active Directory objects, by using PowerShell commands.

Active Directory recycle bin | The two main PowerShell commands

Managing the Active Directory recycle bin via PowerShell commands, is implemented by using
two main cmdlets: Get-ADObject and Restore-ADObject.

The PowerShell cmdlets Get-ADObject is not related directly to the Active Directory recycle bin, but instead, serve for fetching information about any type of Active Directory objects.

By default, the Restore-ADObject PowerShell command will display live Active Directory objects.

In case that we want to display the content of the Active Directory recycle bin, we will need to add an additional parameter: -includeDeletedObjects

Using PowerShell restoring Deleted Active Directory objects Active Directory recycle bin -01

The second part of the Active Directory recycle bin PowerShell cmdlets couple is, the PowerShell command: Restore-ADObject

As the name implies, the PowerShell command Restore-ADObject will pull the deleted object from the Deleted object folder and restore the object to the “active object list.”

Using PowerShell restoring Deleted Active Directory objects Active Directory recycle bin -02

In other words, we can say that the implementation of the restore process when using Active Directory recycle bin is realized via the PowerShell command Restore-ADObject.

Active Directory recycle bin restore future - via the PowerShell command - Restore-ADObject -01

An interesting fact is, that the PowerShell command Restore-ADObject is available on every domain controller as part of the Active Directory PowerShell commands, even if we didn’t enable (activated) the Active Directory recycle bin.

An interesting question could be what will happen in a scenario in which the Active Directory recycle bin was not enabled and yet, we try to use the Restore-ADObject for restoring Soft Deleted Active Directory object that is stored in the Deleted object folder?

The answer appears in the following screenshot:

Active Directory recycle bin restore future - via the PowerShell command - Restore-ADObject -02

In our example, we try to use the Restore-ADObject on Active Directory domain in which the Active Directory recycle bin is not enabled.

We use the PowerShell command Restore-ADObject for, restoring Soft Deleted object GUID (Globally unique identifier), and then try to use the following PowerShell command syntax:

Restore-ADObject –identity 40b5e14a-1e12-469d-92fe-10a9463519db

The result is the following error:

Restore-ADObject : Illegal modify operation. Some aspect of the modification is not permitted

The error is not clear enough, but in simple words, the error tries to tell us, that the Active Directory recycle bin is not activated and for this reason, we cannot use the Restore-ADObject PowerShell command.

Using Get-ADObject and Restore-ADObject PowerShell commands for restoring Soft Deleted Active Directory objects.

Example 1 – Display information about ALL deleted objects

In this example, we would like to filter the results about deleted Active Directory objects, based on the following requirements:

  • Display information about deleted Active Directory objects.
  • Filter the result by using the following parameters:
    • Display only the content of the Active Directory “deleted objects” folder.

To instruct the Get-ADObject command to display “deleted” Active Directory object, we use the filter option. We define a filter, which will fetch only Active Directory objects which their property “deleted” include the value “$true .”

PowerShell syntax example

Get-ADObject -Filter {Deleted -eq $true } -includeDeletedObjects

In the following screenshot, we can see the result. We can see that the Get-ADObject command display default set properties of the Soft Deleted object. Note that Soft Deleted Active Directory objects, has additional properties that are not displayed by default.

Using the command Get-ADObject -includeDeletedObjects -01

If we take a closer look at a particular Soft Deleted object, we can see that the Deleted property is set to “True.”

This is the way that the Active Directory uses for “stamping” Active Directory object as “deleted.”

Using the command Get-ADObject -includeDeletedObjects -02

Example 2 – Display information about ALL deleted objects + display ALL properties

In this example, we would like to filter the results about deleted Active Directory objects, based on the following requirements:

  • Display information about deleted Active Directory objects.
  • Filter the result by using the following parameters:
    • Display information about all the Active Directory deleted object type (user account, computer account and so on).
  • Display all the properties for each Soft Deleted object.

PowerShell syntax example

Get-ADObject -Filter {Deleted -eq $true } -includeDeletedObjects -Properties *

In the following screenshot, we can see that now, the information about the Soft Deleted objects, displayed with all the available properties.

Using the command Get-ADObject -includeDeletedObjects -03

Example 3 – Display information about User account” deleted objects + display selected set of properties

In this example, we would like to filter the results about deleted Active Directory objects, based on the following requirements:

  • Display information about deleted Active Directory objects.
  • Filter the result, by using the following parameters:
    • Display only objects which classified as “user account.”
  • Display specific properties for each Soft Deleted User account object.

PowerShell syntax example

Get-ADObject -Filter {Deleted -eq $true -and ObjectClass -eq "user"} -includeDeletedObjects -Properties * | FL sAMAccountName,UserPrincipalName,DisplayName,ObjectGUID,WhenCreated,WhenChanged,Deleted
Using the command Get-ADObject -includeDeletedObjects -04

Example 4 – Display information about specific deleted User account (SAM name) + display selected set of properties

In this example, we would like to filter the results about deleted Active Directory objects, based on the following requirements:

  • Display information about deleted Active Directory objects.
  • Filter the result, by using the following parameters:
    • Display information about specific deleted the user. We will reference the user by proving his SAM account
  • Display specific properties for the Soft Deleted user object.

PowerShell syntax example

Get-ADObject -Filter {sAMAccountName -eq "Selena"} -includeDeletedObjects -Properties * | FL sAMAccountName,UserPrincipalName,DisplayName,ObjectGUID,WhenCreated,WhenChanged,Deleted
Using the command Get-ADObject -includeDeletedObjects -05

Example 5 – Display information about specific deleted User account (GUID value) + display selected set of properties

In this example, we would like to filter the results about deleted Active Directory objects, based on the following requirements:

  • Display information about deleted Active Directory objects.
  • Filter the result, by using the following parameters:
    • Display information about a specific deleted user. We will reference the user by proving his GUID value.
  • Display specific properties for the Soft Deleted user object.

PowerShell syntax example

Get-ADObject -Filter {ObjectGUID -eq " 910b2cd7-b638-4c8c-a265-fd3892c48a49"} -includeDeletedObjects -Properties * | FL sAMAccountName,UserPrincipalName,DisplayName,ObjectGUID,WhenCreated,WhenChanged,Deleted
Using the command Get-ADObject -includeDeletedObjects -06

Restore Soft Deleted object

The “restore process,” is implemented most of the time by using a combination of the two PowerShell commands: Get-ADObject + Restore-ADObject

Example 1 – Restore specific Soft Deleted User account | Referencing the user by using his sAMAccountName value.

In this example, we would like to restore from the Active Directory recycle bin, a specifically deleted user account. We will reference the deleted user account by using the user SAM account name.

The combination of the PowerShell commands that we are going to use, will implement the following tasks:

  • Fetch a specifically deleted user account from Active Directory recycle bin,
  • by using the PowerShell command Get-ADObject + Filter that will look for an object that his SAM name is – Selena.
  • Restore the user account into an “active state” back to his original organization unit (by using the PowerShell command Restore-ADObject).

PowerShell syntax example

Get-ADObject -Filter {sAMAccountName -eq "Selena"} -includeDeletedObjects | Restore-ADObject
Using the command Get-ADObject -includeDeletedObjects -07

Example 2 – Restore specific Soft Deleted User account | Referencing the user by using his GUID value.

In this example, we would like to restore from the Active Directory recycle bin, a specifically deleted user account. We will reference the deleted user account by using the user GUID.

The combination of the PowerShell commands that we are going to use, will implement the following tasks:

Step 1#2

  • Get the GUID value of a Soft Deleted user account of a user named Selena.

Step 2#2

  • Address the Soft Deleted user account by using the GUID value of the user. Restore the Soft Deleted user account into an “active state,” back to his original organization unit (by using the PowerShell command Restore-ADObject).

Phase 1#2 – Get the GUID value of a specifically deleted user account

PowerShell syntax example

Get-ADObject -Filter {sAMAccountName -eq "Selena"} -includeDeletedObjects -Properties * | FL sAMAccountName,UserPrincipalName,DisplayName,ObjectGUID,WhenCreated,WhenChanged,Deleted

Phase 2#2 – use the GUID value for referencing specific deleted user account + restore the user account

PowerShell syntax example

Get-ADObject -Filter {ObjectGUID -eq "910b2cd7-b638-4c8c-a265-fd3892c48a49"} -includeDeletedObjects | Restore-ADObject
Using the command Get-ADObject -includeDeletedObjects -08

Remove Soft Deleted object (Hard Delete)

An additional option that I would like to review while it’s quite rare is – the option of using PowerShell command for removing deleted objects from the Active Directory recycle bin.

In other words, delete Soft Deleted objects.

The technical term that defines this scenario is “Hard Deleted.”

In case that we execute “Hard Delete” Soft Deleted object, the object considers as
“un-recoverable.”

To be able to delete Soft Deleted Active Directory objects, we will use the PowerShell command: Remove-ADObject

Example 1 – Remove (Hard Delete) deleted user account.

Phase 1#2 – Display information about Soft Deleted user accounts

In this phase, we would like to get a list of existing Soft Deleted user accounts.

PowerShell syntax example:

Get-ADObject -Filter {Deleted -eq $true -and ObjectClass -eq "user"} -includeDeletedObjects -Properties *

In the following screenshot, we can see the list of the existing Soft Deleted user account.
Notice that the list includes information about a Soft Deleted user account named – Katy.

In the next phase, we will remove Katy user account from the Active Directory recycle bin.

Using the command Get-ADObject -includeDeletedObjects -09

Phase 2#2 – Delete Soft Deleted user accounts

In this step, we would like to delete information about a Soft Deleted user account named – Katy

PowerShell syntax example:

Get-ADObject -Filter {Deleted -eq $true -and sAMAccountName -eq "Katy"} -includeDeletedObjects | Remove-ADObject -Confirm:$false

In the following screenshot, we can see the result. We can see a list of Soft Deleted user accounts, but the name of Katy doesn’t appear.

Using the command Get-ADObject -includeDeletedObjects -10

Example 2 – Remove (Hard Delete) ALL deleted user accounts (Bulk mode).

In this scenario, we want to “clear” the content of the Active Directory recycle bin by deleting \removing all the existing Soft Deleted object.

We will implement this task in two phases:

Phase 1#2 – Display information about Soft Deleted objects

In this phase, we would like to get a list of existing Soft Deleted user accounts.

PowerShell syntax example:

Get-ADObject -Filter {Deleted -eq $true -and ObjectClass -eq "user"} -includeDeletedObjects -Properties * | FL Name

Notice that we ask to display only deleted objects and their “name” property.

In the following screenshot, we can see the list of the Soft Deleted user objects.

We can see that each of the Soft Deleted Active Directory objects, has the string “DEL” included in his name.

In the next phase, we will use this “character,” for “referencing” all the Soft Deleted objects that are stored in the Active Directory recycle bin.

In the following screenshot, we can see the list of the existing Soft Deleted user accounts:

Using the command Get-ADObject -includeDeletedObjects -11

Phase 2#2 – Delete ALL existing Soft Deleted user accounts (clean the Active Directory recycle bin).

In this step, we ask to get a list of all the existing Soft Deleted accounts that the string “DEL” appears in their name, and then, pipe the output to the PowerShell command that will delete these objects.

PowerShell syntax example:

Get-ADObject -Filter {Deleted -eq $true -and name -like "*DEL:*"} -includeDeletedObjects | Remove-ADObject -Confirm:$false

In the following screenshot, we can see that the “remove” PowerShell command doesn’t provide any information about the process of the deletion.

The only way that we can use for verifying if the Soft Deleted object was removed from the Active Directory recycle bin is – by using the command again for displaying Soft Deleted objects and verifies if there are still such objects.

In the following screenshot, we can see that the Active Directory recycle bin is “empty.” The meaning is that we manage to delete all the Soft Deleted objects stored in the Active Directory recycle bin.

Using the command Get-ADObject -includeDeletedObjects -12

Using Active Directory recycle bin by using Graphic interface (Windows 2012 and above).

In the section, we review how to use the Active Directory recycle bin graphic interface, which is available on Windows 2012 Server and later versions.

The basic assumption is that the Active Directory recycle bin was already “activated” (enabled).

In case that you need more information about the subject of how to enable Active Directory Recycle bin you can read the article – Step 1: Enable Active Directory Recycle Bin

The Active Directory Recycle Bin graphic interface is accessible via the Active Directory Administrative Center.

  • On a Windows server 2012, starts the Server Manager.
  • Select the Tools menu and then the Active Directory Administrative Center menu
Restoring deleted user account - Active Directory recycle bin graphic interface – Server 2012 -01

In the following screenshot, we can see the Active Directory Administrative Center management interface.

  • Under the “domain tree” (o365info local in our example), we can see a folder named – Deleted Objects (number 1)
  • On the right-side pane, we can see the content of the Active Directory recycle bin (number 2).
Restoring deleted user account - Active Directory recycle bin graphic interface – Server 2012 -02

To restore a specific user account, all we need is to select the specific user account, right-click and select the menu – Restore

Note: The Active Directory Recycle Bin graphic interface doesn’t provide any “respond” or a message that approve that the object successfully restored.

Restoring deleted user account - Active Directory recycle bin graphic interface – Server 2012 -03

Active Directory recipient graphical interface – additional management options

In this section, I would like to briefly review two useful options that are available to us when using the Active Directory recycle bin graphical interface.

Adding additional column properties

In case that we want to display additional properties of the Soft Deleted objects, we can very easily add this “additional column” to the display.

All we need to do is just right click on one of the column headers (number 1), and select from the list the required property that will add to the display.

Restoring deleted user account - Active Directory recycle bin graphic interface – Server 2012 -04

Using the search filter

In a scenario in which the Active Directory recycle bin include a large amount of Soft Deleted objects, and we need to “narrow” the displayed results, we can use the option of – “search filter.”

The Active Directory Recycle Bin search filter, enable us to “narrow” search result that displayed, by defining some specific parameters such as – department, creation date and so on.

To activate the search filter:

  • Click on the small arrow on the right side (number 1).
Restoring deleted user account - Active Directory recycle bin graphic interface – Server 2012 -05
  • Click on the option – Add criteria
  • Select the required criteria by selecting the check box (number 3)
Restoring deleted user account - Active Directory recycle bin graphic interface – Server 2012 -06

In the following screenshot, we can see them in our example, we select the criteria – When created, so we will be able to display Soft Deleted object that was created on a specific date.

Restoring deleted user account - Active Directory recycle bin graphic interface – Server 2012 -07

Dealing with a scenario of – multiple Soft Deleted user account with “identical identity”

In this section, I want to relate to a complicated scenario, in which we need to restore the Soft Deleted user account, but the “issue” is that the Active Directory Deleted object store includes two (or more) seemingly identical user accounts.

This type of scenario can realize in case that the Active Directory user account was deleted and created a couple of times.

For example,

  • The Active Directory user is created and then deleted (Soft Deleted).
  • After a while, an Active Directory user with the same display name and E-mail address is created again as a NEW Active Directory user.
  • After a while, The NEW Active Directory user account is deleted.

In this case, the Active Directory recycle bin will include two seemingly identical user accounts.

I use the term “seemingly identical” because the two Soft Deleted user accounts have the same display name, E-mail address and so on.

The “real differences” between the seemingly identical Soft Deleted user account are:

  1. The unique identifiers – the GUID and the SID value.
  2. The created and updates values – the “creation date” (WhenCreated) and “deletion date” (WhenChanged).

Note: Notice that the Active Directory doesn’t use a specific property such as “when deleted.” Instead, the property that “tell us” when was the object deleted is – WhenChanged.

To be able to demonstrate such case in the ways that we can use for locating the “right Soft Deleted a user account” that we want to restore, let’s use the following scenario:

To be able to demonstrate such case, let’s use the following scenario:

  • Selena Gomez is an organization user (Active Directory user) that was created in the Active Directory organizational unit named – Famous singers.
  • Selena Gomez Active Directory user account was deleted!
  • After a while, the Active Directory administrator, create a NEW Active Directory user account for Selena Gomez, with the same details as the previous user account the was deleted such as – the same display name, E-mail address and so on.
  • After a while, The NEW Selena Gomez Active Directory user account was deleted!
  • The Active Directory administrator was asked to delete Selena Gomez Active Directory user account.

The mission

We were asked to restore the “original” Selena Gomez Active Directory user account.
In other words, the Selena Gomez Active Directory user account, that was created before the NEW Selena Gomez user account.

The problem

We use the Active Directory recycle bin for displaying a list of the Soft Deleted user account.
In our example, we manage to locate Selena Gomez Soft Deleted user account, but, the list includes two “instances” of the Soft Deleted user account

Because the account looks identical, we cannot know which of this Soft Deleted user account is the “organic user account.”

The solution

The Active Directory Recycle bin list include a property named – When Deleted.

We will use the information stored in the When Deleted property field, for locating the user account that his “deletion date” was earlier than the deletion date of the “other Soft Deleted user account.”

In the following screenshot, we can see that booth of the user account deleted at the same date – 10/14/2016.

Restoring deleted user account - Active Directory recycle bin graphic interface – Server 2012 -08

As mentioned, the “original Selena user account” was deleted only after some time the “NEW Selena” user account was also deleted.

Now, we need to locate the Soft Deleted user account, which his “deletion date” is earlier than the deletion date of the “other Soft Deleted user account.”

Booth of the user account was deleted on the same date (When Deleted 10/14/2016)

  • The deletion date of Selena user account that appears as “number 1” in the screenshot is – 1:51 PM
  • The deletion date of Selena user account that appears as “number 2” in the screenshot is – 2:50 PM

The conclusion is that the “original Selena user account” is a Selena user account that appears as “number 1”.

How to locate who is the original Active Directory user account

The next article in the current article series

Restore Exchange Online USER mailbox | Directory synchronization environment | The “right way” | Part 17#23

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *