Skip to content

Deleted Active Directory User account and the Deleted object store | Basic introduction | Article 1#4 | Part 13#23

In the following article, I would like to provide a high-level review on the subject of Restoring Soft Deleted Active Directory User account.

We will review the following subjects:

  1. The method that the Active Directory uses for storing deleted objects such as User account.
  2. The two main Active Directory methods, that we can use for restoring deleted Active Directory objects:
  • Tombstoned objects.
  • Active Directory recycle bin.

Overall, the preferred method is using the option of Active Directory recycle, but the main drawback is that the Active Directory recycle bin is not activated by default. To be able to use the Active Directory recycle bin feature, we will need to activate this option in advance.

In case that we need to restore a Soft Deleted Active Directory object, and the Active Directory recycle bin was not activated, we can revert to the less easy to use option, which described as – restring Tombstoned objects.

Regarding the method of restoring Active Directory objects using Active Directory recycle bin, we will review the available tools and the way we use these tools, in the following articles:

Regarding the method of restoring Tombstoned Active Directory objects, we will review the available tools and the way we use these tools in the following articles:

Active Directory and Deleted Objects system folder

The Active Directory includes a hidden system partition (folder) named – Deleted Objects.

The purpose of the Deleted Objects folder is – to serve as a “store” for deleted Active Directory objects, such as User account or computer account.

Active Directory will keep the “deleted object” in the Deleted Objects folder for a limited period.
At the end of this period (180 days by default), the deleted objects will be “removed” from the Deleted Objects system folder meaning – permanently delete (described as Hard Deleted).

Associatively, the description of this mechanism can be described as “recycle bin.” bin.”

The “thing” is that Microsoft prefers to use the term “Active Directory recycle bin” for “another feature” that implemented in Windows Server 2008 and above.

The formal Microsoft definition of – “Active Directory recycle bin,” relate to an option, that needs to be “activated” which is based or relies on the Deleted Objects folder.

In case that the “Active Directory recycle bin” mechanism is activated, the restore of Soft Deleted object’s process, will enable us to restore the deleted object, including all the object properties.

Also, the “Active Directory recycle bin” includes tools (PowerShell command and on a Windows 2012 server graphic interface) that enable us to access the Deleted Objects folder and restore the deleted object more easily.

Metaphorically, we can relate to the “Active Directory recycle bin” as the “sophisticated brother” of the Deleted Objects folder feature.

The special Active Directory folder - Deleted Objects -04

Another option that we can use for defined the “Active Directory recycle bin” is – a service that “Built upon” the Deleted Objects folder infrastructure, but add an additional layer of options, which enables us to restore the Soft Deleted object “fully” + extended interface and management capabilities.

Active Directory recycle bin as an additional layer over the existing Deleted object infrastructure

The why the Active Directory saves deleted objects

The mechanism of the Active Directory that store “Deleted Objects,” is implemented automatically in the Active Directory. In other words, we don’t need to implement any configuration setting for “activating” the Active Directory “Deleted Objects” store.

Each time that we delete an Active Directory object such as User account, the object is “sent” to the Active Directory Deleted Objects folder and “stamped” as a – Tombstoned object.

The term “Tombstoned object,” was created for point the fact, that the particular object has a “limited lifetime.”

Note – In case that you are familiar with the DNS term – TTL (Time To Live) that defines the lifetime of a particular DNS record, the tombstone is a similar concept.

Tombstone object vs. Active Directory recycle bin object

In case that we need to restore a deleted Active Directory object (Soft Deleted object, if we want to use the more accurate term), we need to “access” the Active Directory “Deleted Objects folder,” and “pull out” the object (change the status of the object to “active”).

If we want to use more technical terms, we need to update the deleted object status
from Tombstoned object into – non Tombstoned object (active object).

The “two issues” with the Tombstoned objects are:

1. The properties of the deleted object not saved

When we delete Active Directory object such as User account, the deleted object, is sent to the Active Directory “Deleted Objects folder,” but most of the object properties are removed (deleted).

In case that we manage to restore the Tombstoned object, all the information that was “attached” to the object such as – Password, E-mail Address, Telephone number, Group membership and more, cannot be recovered!

2. No built-in interface for recovering Tombstoned objects

Also, the Active Directory doesn’t include “built-in tools” that we can use for – “fetching” Tombstoned object from the Active Directory “Deleted Objects folder.”

In the next article, we will review some tools that we can use such as LDP.EXE. But, the LDP.EXE utility not created as a dedicated tool for recovering Tombstoned object, and the way that we use these tools is quite complicated.
Vs. the disadvantage of working with Tombstoned objects, the Active Directory recycle bin feature, was built to improve and elaborate, the Active Directory “Deleted Objects folder” infrastructure.

When we activate the Active Directory recycle bin, each time that an object such as User account deleted, the object will continue to kept in the Active Directory “Deleted Objects folder” b, ut this time, all the object properties are kept.

In a scenario in which we recover the deleted Active Directory user account, the user account will restored with his “full properties” such as – Password, E-mail Address, Telephone number, Group membership and so on.

Tombstoned object versus Active Directory recycle bin object

It’s important to mention that, the feature of Active Directory recycle bin is not activated (enabled) by default.

Active Directory recycle bin admin interface

The Active Directory Recycle Bin feature provides us “tools” for implementing the required recovery process from the “Deleted Objects folder.”

  • Case 1 – In case that your Domain controller is – Windows 2008 R2 server, the Active Directory recycle bin “tool” that we use for recovering deleted object from Deleted Objects folder” is – PowerShell commands. In other words, the recovery process implemented via a command line interface.
  • Case 2 – In case that your Domain controller is – Windows 2012 server, the Active Directory recycle bin provides a graphic interface for recovering deleted objects from the “Deleted Objects folder.”

What is the preferred option regarding the subject of restoring Active Directory deleted object?

As mentioned, the need for recovering deleted Active Directory objects can implement by using one of the following options:

  • Tombstoned objects (in case that the Active Directory recycle bin is not enabled).
  • Active Directory recycle bin.
What are the available options for restoring user account -02

Q1: What is the preferred option regarding the subject of – restoring Active Directory deleted objects?

A1: Let’s make it simple – using the Active Directory recycle bin for recovering deleted (Soft Deleted) object is the preferred option.

So why do I bother to spend all this time on the subject of restoring Tombstoned objects?

The option of recovering deleted Active Directory objects using Tombstoned objects is a little primitive, vs. the most sophisticated method of Active Directory recycle bin!

The method of restoring Active Directory using Tombstoned objects- as - prehistoric

The simple answer is that sometimes; this is the only option that we have!

In case that we didn’t enable the option of the Active Directory recycle bin, and we must restore a deleted Active Directory object, the only option is – using the Tombstoned objects option.

In some scenarios using the option of Tombstoned objects is the only option

Diagram decisions

Let’s start to recap.

In case that we need to restore a deleted (Soft Deleted) Active Directory object such as User account, the preferred option is – to use the Active Directory recycle bin.

In case that the Active Directory recycle bin was not activated, we will need to restore the deleted object by using the Tombstoned objects option.

Active Directory recycle bin was not enabled

In the next articles-

We will review how to use various tools for recovering deleted Active Directory object in case that the Active Directory recycle bin was not enabled.

We will review three available options

  1. The Active Directory LDP.exe
  2. Sysinternals utility named – AdRestore and his Graphic version.
  3. A third-party-free utility named – LEX – the LDAP Explorer.

Active Directory recycle bin is enabled

We will review the process of recovering Active Directory deleted objects using the following options:

  1. PowerShell command.
  2. Windows 2012 server version – a graphic interface.
Directory Synchronized environment -Restore On-Premise Active Directory User account

In the article – How to restore Active Directory deleted user account by using Active Directory recycle bin | Article 4#4 | Part 16#23, we will review how to restore Active Directory deleted objects by using Active Directory recycle bin.

How can I know if my Active Directory domain has Active Directory recycle bin?

As mentioned, the Active Directory recycle bin needs to be manually enabled (not activated by default).

The central question that can appear in your mind is – How can I know if my Active Directory domain has Active Directory recycle bin?

There are two options which we can use for getting the answer to this question:

Option 1 – Using the PowerShell command Get-ADOptionalFeature

Using the PowerShell command Get-ADOptionalFeature, we can verify if the option of the Active Directory recycle bin was activated or not.

The syntax that we need to use is Get-ADOptionalFeature -Filter ‘name -like “Recycle Bin Feature”‘

The output from this PowerShell command will display a couple of details that relate to the Active Directory recycle bin feature.

The particular property that we are looking for named – EnabledScopes

  • In case that the property – EnabledScopes is “empty,” the meaning is that the Active Directory recycle bin was not activated.
  • In case that the property – EnabledScopes is “populated,” the meaning is that the Active Directory recycle bin was activated.

In the following screenshots, we can see an example of the output of the Get-ADOptionalFeature command.

In the following example, the Active Directory forest / domain includes Active Directory recycle bin.

How can I tell if 2008 R2 AD recycle bin is turned on – not activated -01

In the following example, the Active Directory forest/domain doesn’t include Active Directory recycle bin. We can see that the recycle bin was not enabled because the EnabledScopes property is “empty.”

How can I tell if 2008 R2 AD recycle bin is turned on – activated -02

Option 2 – Using the Active Directory administrative center

The another option (and the simpler one) is using the Active Directory administrative center tool.

When we select the domain name (o365info local in our example), we can see on the “right pan” the status of the Active Directory recycle bin.

In our example, we can see that the option named – Enable recycle bin… is not available (dimmed). The meaning is – the Active Directory recycle bin is enabled.

How can I tell if 2008 R2 AD recycle bin is turned on -admin center - activated -01

In our example, we can see that the option named – Enable recycle bin… is available. The meaning is – the Active Directory recycle bin is NOT enabled.

How can I tell if 2008 R2 AD recycle bin is turned on -admin center - not activated -01

Restore Active Directory user using Tombstoned objects vs. using Active Directory recycle bin

In this section, I would like to recap all the information we reviewed in the previous sections.

The option for restoring deleted Active Directory objects (Tombstoned objects) in case that the Active Directory recycle bin wasn’t enabled, is always available for us, but we will need to use a suitable “tool” for implementing the restore process.
After we restore the Soft Deleted object, the “restored object such as User account, will include only limited “restored properties” such as – the original GUID, SID and name values.

To be able to use the advantages of Active Directory recycle bin, we will need to Activate ahead the Active Directory recycle bin option.

The main methods for Restoring Active Directory objects -01

Restore Active Directory user using Tombstoned objects

The main reason for restoring deleted Active Directory object by using Tombstoned objects is in a case that we need to restore Active Directory object, and the Active Directory recycle bin was not enabled.

In this scenario, we will need to use the LDP.exe Active Directory utility or other third party restore utility.

Most of the information about the deleted object will not restored!

Restore Active Directory user using Tombstoned objects -02

Restore Active Directory user using Active Directory recycle bin

As mentioned a couple of time, this method is the preferred option because, given that the Active Directory recycle bin was enabled, the restore process can simply implement without the need for “special tools.”
Additionally, the restored object will include all the “original properties” that were attached to the Active Directory object such as – Password, Group membership, user information and so on.

Restore Active Directory user using Active Directory recycle bin -03

The next article in the current article series

How to restore Active Directory deleted user account (Active Directory recycle bin is not enabled) using LDP.EXE | Article 2#4 | Part 14#23

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *