Tools for quick recovery of deleted Active Directory objects

Perhaps one of the most feared utterances of a system admin is "Oops!" Fortunately there is an "undelete" for many operations in applications. In Windows 2003, there is also an "undelete" for quick recovery of deleted objects, although it is not widely known. Here is a quick procedure you can use to reanimate deleted Active Directory objects.

Background

When an object is deleted in Active Directory, it is really just "tombstoned." That is, the object and its mandatory attributes are moved to the Deleted Objects folder -- a sort of death row for objects. Every 15 minutes, the Garbage Collector (or Executioner) comes along and checks to see if the object's Tombstone Lifetime has expired. The Tombstone Lifetime is the period of time the object can remain in the Deleted Objects folder before it is purged from the database. This is 60 days by default, although Microsoft now recommends 120 days. If the Tombstone Lifetime has expired, it purges the object from AD.

The Tombstone Lifetime can be changed by using the ADSIEdit tool. Go to cn=directory Service,cn=windowsNT,cn=services,cn=configuration,dc=company,dc=com (replace dc=company,dc=com with your domain name). Right click on the CN=Directory Service folder and select Properties. Find Tombstone Lifetime in the attribute list, click the Edit button and enter the number of days in the value field.

So you hear one of your fellow admins say "oops -- I just deleted an object that I shouldn't have." You could do an authoritative restore of that object, but what a t

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Active Directory Backup and Restore How to build redundancy in Active Directory replication An alternate strategy for DNS server backup Diamonds are forever, but not Active Directory backups How do I add a backup domain controller in Windows NT? Active Directory disaster recovery: Protecting the enterprise from the administrator Creating Active Directory replicas from backup tapes How to use Install from Media to restore a domain controller Chapter of the Week: Active Directory Cookbook for Windows Server 2003 and Windows 2000 -- Chapter 16, 'Backup, recovery, DIT maintenance and deleted objects' Unable to restore critical information after moving user accounts via LDIF Tips for Active Directory DC backups Microsoft Active Directory Tools and Troubleshooting Troubleshooting poor Windows logon performance in Active Directory environments New Operations Manager 2007 feature allows for automated agent deployments Taming the LSASS.exe process for Active Directory performance and security Active Directory FAQs Troubleshooting Active Directory database errors Troubleshooting a cross-forest trust in Active Directory Bad external time source stops Active Directory replication Time stamps change with daylight-saving time DNS troubleshooting tips for Active Directory How the DC locator works in Active Directory Active Directory Administration Using Active Directory to manage Macs in a Windows environment Troubleshooting poor Windows logon performance in Active Directory environments Common Active Directory security oversights Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security Troubleshooting Active Directory database errors Active Directory database basics: Performing an offline defrag Branch office security: Pros and cons of read-only domain controllers Tips for Windows domain controller optimization How to rebuild the SYSVOL tree when none exists in Active Directory

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ime-consuming pain that is! A much faster way is simply to use the LDP.exe tool to recover it:

Now that you have the Deleted Objects folder displayed, let's reanimate one of the objects. In the following example, we have a user, Forest Gump, who was deleted from CN=Users,dc=qtest,dc=cpqcorp,dc=net. In Figure 2, we see the Deleted Objects folder expanded, and in Figure 3 we see the deleted user Forest Gump. Note the \0ADEL: in the name. All deleted users are flagged with this. Note also in Figure 3 that one of the attributes on Forest Gump is the isDeleted attribute, which is set to True. This attribute only exists on deleted users, making it easy to find them with an LDAP search. To reanimate Forest Gump, do the following:

Obviously, this method would be too laborious to do a hundred or so deleted users (authoritative restore could be used for that task), but to recover a few objects, it is quick, easy, hard to mess up and free! At least in my experience, if you don't get the information correct in the modify dialog, the operation fails. As far as I know -- and I've messed a few up -- it doesn't corrupt the object, although there is surely a way to do that.

So keep an eye on those shoot-from-the-hip administrators, but now you won't have a coronary when you hear them say, "Oops!"