How to: Restore deleted users in Active Directory

Do you remember a situation when you deleted a couple of Active Directory objects, and after this action you thought, “oops!!”. You’ve to restore these user objects, but how? By default the Active Directory markes all the deleted objects as IsDeleted True. The objects are not vissible any more in your Active Directory, but they still there. This calls tombstoned objects. By default tombstoned objects will be available for 60 days in a Windows 2000/2003 Active Directory and 180 days in a Windows 2003 SP1 of 2008 Active Directory.

In my testenvironment I’ve created 50 test user objects and deleted a couple of this user objects. Now we are going to restore the objects. First I’ve downloaded the following commandline tool adrestore. This tool I’ll using for the restore.


recover_ad01    recover_ad02    recover_ad03

recover_ad04    recover_ad05    recover_ad06

The following commands can be used:

This command will give you an overview of all the tombstoned objects in your Active Directory
This command asks for an conformation to restore all the individual tombstoned objects.

adrestore -r

adrestore -r “CN of the tombstoned object”, for example adrestore -r testuser11
This command perform a restore of tombstoned object testuser11

Note: after performing a restore of the tombstoned objects, the accounts are disabled and the user must change password at next logon. Before you can enable this account, make sure you reset the password that meets your password policies, configured in your Default Domain policy.