Manually Undeleting Objects in Active Directory
As you probably read in my previous articles – "Recovering Deleted Items in Active Directory" and “Restore Windows Server 2003 Active Directory“, an administrator might sometime need to restore deleted objects from the Active Directory database. You see, when an object is deleted from Active Directory, it is not immediately erased, but is marked for future deletion. The marker used to designate that an AD object scheduled to be destroyed is called “tombstone”. A tombstone is an object whose IsDeleted property has be set to True, and it indicates that the object has been deleted but not removed from the directory, much like a deleted file is removed from the file allocation table but the data is not actually removed from the drive. The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the garbage collection process removes the objects. The length of time tombstoned objects remain in the directory service before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days for Windows Server 2003 SP1 Active Directory (by default).
There are several methods of reanimating tombstoned objects from the Active Directory. Some are listed on my “Recovering Deleted Items in Active Directory” article. Another method is to manually recover these items, a process called “Reanimation”.
To manually undelete objects in a deleted object’s container, follow these steps:
1. Click Start, click Run, and then type LDP.exe.
Note: If the LDP.exe utility is not installed, install the support tools from the Windows Server 2003 installation CD, or get them from Windows 2003 SP1 Support Tools.
2. Use the Connection menu in LDP to perform the connect operations and the bind operations to a Windows Server 2003 domain controller. Specify domain administrator credentials during the bind operation.
3. Click Options > Controls.
4. In the Load Predefined list, click Return Deleted Objects. Under Control Type, click Server, and the click OK.
5. Click View > Tree. Now type the distinguished name path of the deleted objects container in the domain where the deletion occurred, and then click OK.
Note: The distinguished name path is also known as the DN path. For example, if the deletion occurred in the petri.local domain, the DN path would be the following path:
6. In the left pane of the window, double click the Deleted Object Container.
Note: As a search result of LDAP query, only 1000 objects are returned by default. For example, if more than 1000 objects exist in the Deleted Objects container, not all objects appear in this container. If your target object does not appear, use NTDSUTIL, and then set the maximum number by using maxpagesize to get the search results, as described in the following KB article: How to view and set LDAP policy in Active Directory by using Ntdsutil.exe – 315071 7. Double-click the object that you want to undelete or to reanimate.
8. Right-click the object that you want to reanimate, and then click Modify.
9. Next, change the value for the isDeleted attribute and the DN path in a single Lightweight Directory Access Protocol (LDAP) modify operation.
To configure the Modify dialog, follow these steps:
a. In the Edit Entry Attribute box, type isDeleted. Leave the Value box blank.
b. Click the DELETE option button, and then click Enter to make the first of two entries in the Entry List dialog.
Important: Do not click Run at this phase!!!
c. In the Attribute box, type distinguishedName. In the Values box, type the new DN path of the reanimated object. For example, to reanimate the TestUser user account to the Sales OU, use the following DN path:
Note: If you want to reanimate a deleted object to its original container, append the value of the deleted object’s lastKnownParent attribute to its CN value, and then paste the full DN path in the Values box.
d. In the Operation box, click REPLACE. Click ENTER.
e. Click to select the Synchronous check box, and the Extended check box.
f. Click RUN. Note the results pane on the right side showing you that the operation was successful.
10. After you reanimate the objects, click Options > Controls and click the Check Out button to remove (1.2.840.113522.214.171.1247) from the Active Controls box list.
11. Open Active Directory Users and Computers, and reset the user account passwords, profiles, home directories and group memberships for the deleted users. You need to do this because when the object was deleted, all the attribute values except SID, ObjectGUID, LastKnownParent and SAMAccountName were stripped.
12. Enable the reanimated account in Active Directory Users and Computers.
Note: The restored object has the same primary SID as it had before the deletion, but the object must be added again to the same security groups to have the same level of access to resources. The RTM release of Windows Server 2003 does not preserve the sIDHistory attribute on reanimated user accounts, computer accounts, and security groups, however, Windows Server 2003 with Service Pack 1 does preserve the sIDHistory attribute on deleted objects.
13. If you do not reset the reanimated user account’s password you will get an error saying:
Windows cannot enable object TestUser because:
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain.
For organizations using Exchange 2003 you need to remove Microsoft Exchange attributes and reconnect the user to the Exchange mailbox.
In order to do so follow these steps:
- In Active Directory Users and Computers, right-click the restored user and select Exchange Tasks.
- Select Remove Exchange Attributes and click Ok all the way till the end of the wizard.
- In Exchange System Manager, navigate to the mailbox store containing the recovered user’s mailbox. Refresh the Mailboxes node list, and if needed, right-click the Mailboxes node and select Run Cleanup Agent.
Note that the deleted user’s mailbox is marked with a red X.
- Right-click the deleted mailbox, select Reconnect.
- Type the reanimated user’s name. Press Check Names, then click Ok.
- The mailbox is now reconnected. Wait a couple of minutes or re-run the Recipient Update Service from the Exchange System Manager console.
You can automate some or all of these recovery steps by using the following methods:
- Write a script that automates the manual recovery steps.
- Obtain a non-Microsoft program that supports the reanimation of deleted objects on Windows Server 2003 domain controllers. Read my "Recovering Deleted Items in Active Directory" article for more info on that.
- Changing the Tombstone Lifetime Attribute in Active Directory
- Configure a New Global Catalog
- How to Install Active Directory on Windows 2003
- Windows 2003 Domain Controller Rename
- Understanding FSMO Roles in Active Directory
- Transferring FSMO Roles
- Forcibly Removing Active Directory from a DC
- Fix an Unsuccessful DC Demotion
- Delete Failed DCs from Active Directory
- Determining FSMO Role Holders