Mar 21, 2011

Restoring a deleted Active Directory object using Ldp.exe (Active Directory Recycle Bin) - Windows Server 2008 R2

A few day ago I wrote a HOWTO article about restoring objects that were deleted from AD. It was related to Windows 2003 enviroment.
Took me some time do download Windows Server 2008 R2 edition, so I can show how to restore objects from AD ind Windows 2008 R2. Things in Windows 2008 Server R2 are different. In Windows 2008 R2 AD there is a new feature called „Active Directory Recycle Bin“.
When enabled (see Enabling Active Directory Recycle Bin - Windows Server 2008 R2), Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains, which, compared with restoring of user account in Windows Server 2003 (previous article), is not the case.

By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, functional level the forest of your AD DS or AD LDS environment must be set to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2.

In a next few steps, I will explain how to restore deleted user account. For restoring I will use LDP.EXE tool (Objects can also be restored using Get-ADObjects and Restore-ADObjects cmdlets of Windows PowerShell).

Let's see how it's done.
Note: You should replace CONTOSO.LOCAL with your own domain and user TEST USER with your own user.

1. In AD DS, we have a user named Test User. The user gets deleted (accidentally or on purpose). In this case, we'll delete the user manualy. 

2. Then, we run LDP.EXE (must be runned as ADMINISTRATOR). You can go to START > RUN > type in LDP and click OK or press ENTER.

You get LDP tool window open. It looks like this:

3. When it's opened start clicking next:

CONNECTION > CONNECT > OK (no need to fill SERVER field. Just press OK)

 As a result, you get something like:

4. Then go to CONNECTION > BIND. You'll get info about authenticating.
 In addition to previous picture, you get:
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
    {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Authenticated as: 'CONTOSO\Administrator'.

5. Next, go to VIEW > TREE  and in "BaseDN" type DC=<mydomain>,DC=<com>, where <mydomain> and <com> represent the appropriate forest root domain name of your AD DS environment. In my case that's DC=CONTOSO,DC=LOCAL. Then press OK.

6. Now expand the tree and navigate to the CN=Deleted Objects container.

 7. Now you need to locate the deleted Active Directory, right-click it and click Modify.

Pay good attention to the following steps.

8. In Edit Entry Attribute, type isDeleted.
Leave the Values box empty.

9. Under Operation, click Delete, and then click Enter.

10. In Edit Entry Attribute, type distinguishedName. (in the same window, replace isDeleted you previously typed).

11. In Values, type the original distinguished name AKA DN of this Active Directory object. Type the original location of object in AD, before deletion.
In my case, that's "CN=Test User,OU=Contoso Users,DC=contoso,DC=local". You should change accordingly-

Under Operation, click Replace.

Make sure that the Extended check box is selected, click Enter...

...and then click Run.

12. On the bottom of the right side you should have output about successfull restore of the user.

You should gget something like:
***Call Modify...
ldap_modify_ext_s(ld, 'CN=Test User\0ADEL:bdcac14d-f15e-4571-9b0b-e0d74c628ff9,CN=Deleted Objects,DC=contoso,DC=local',[2] attrs, SvrCtrls, ClntCtrls);
Modified "CN=Test User\0ADEL:bdcac14d-f15e-4571-9b0b-e0d74c628ff9,CN=Deleted Objects,DC=contoso,DC=local".

13. After that, go to AD DS console and check for restored user. On a picture bellow you can see that group membership is restored also.

You're done. You have successfully restored deleted user.

(Post a comment if you like it or if you have any questions.)
You take these actions on your own risk. 

No comments:

Post a Comment