Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Tools for quick recovery of deleted Active Directory objects

Everyone makes mistakes; even experienced system administrators. So what do you do when you accidentally delete information in Active Directory? Expert Gary Olsen outlines an easy tool that can be used to reanimate deleted objects.

Perhaps one of the most feared utterances of a system admin is "Oops!" Fortunately there is an "undelete" for many...

operations in applications. In Windows 2003, there is also an "undelete" for quick recovery of deleted objects, although it is not widely known. Here is a quick procedure you can use to reanimate deleted Active Directory objects.


When an object is deleted in Active Directory, it is really just "tombstoned." That is, the object and its mandatory attributes are moved to the Deleted Objects folder -- a sort of death row for objects. Every 15 minutes, the Garbage Collector (or Executioner) comes along and checks to see if the object's Tombstone Lifetime has expired. The Tombstone Lifetime is the period of time the object can remain in the Deleted Objects folder before it is purged from the database. This is 60 days by default, although Microsoft now recommends 120 days. If the Tombstone Lifetime has expired, it purges the object from AD.

The Tombstone Lifetime can be changed by using the ADSIEdit tool. Go to cn=directory Service,cn=windowsNT,cn=services,cn=configuration,dc=company,dc=com (replace dc=company,dc=com with your domain name). Right click on the CN=Directory Service folder and select Properties. Find Tombstone Lifetime in the attribute list, click the Edit button and enter the number of days in the value field.

So you hear one of your fellow admins say "oops -- I just deleted an object that I shouldn't have." You could do an authoritative restore of that object, but what a time-consuming pain that is! A much faster way is simply to use the LDP.exe tool to recover it:


  1. Open the LDP.exe tool, which is part of the Windows Support Tools on the Server CD. Connect to a DC and Bind (authenticate).


  2. Expose the Deleted Objects folder. By default, this folder is not visible. To see it in the LDP tool, go to the Options Menu on the LDP toolbar, and select Controls. In the Controls dialog, in the Load Predefined field, select Return Deleted Objects in the drop down list as shown in Figure 1.


  3. Go to View–Tree in the LDP toolbar, and enter the forest DN in the dialog box. If you connected to a root DC, just hit OK. If you already had the View-Tree going, you'll need to do a View-Tree again to refresh it.


  4. The Deleted Objects folder should now be visible. Expand the folder to see all tombstoned objects.

Now that you have the Deleted Objects folder displayed, let's reanimate one of the objects. In the following example, we have a user, Forest Gump, who was deleted from CN=Users,dc=qtest,dc=cpqcorp,dc=net. In Figure 2, we see the Deleted Objects folder expanded, and in Figure 3 we see the deleted user Forest Gump. Note the \0ADEL: in the name. All deleted users are flagged with this. Note also in Figure 3 that one of the attributes on Forest Gump is the isDeleted attribute, which is set to True. This attribute only exists on deleted users, making it easy to find them with an LDAP search. To reanimate Forest Gump, do the following:


  1. Right click on the user in the left pane of LDP and select Modify.


  2. In the Modify dialog, the long DN of the deleted user is in the DN field at the top.


  3. In the Edit Entry Attribute field, enter isDeleted.


  4. In the Operation area of the dialog, click the Delete radio button, then hit the Enter button. This will put [Delete]isDeleted in the "Entry List" field. This will remove the isDeleted attribute, but we have to fix the DN and get the object out of the Deleted Objects folder.


  5. In the right pane, the user attributes are still visible. Find the lastKnownParent attribute, and select the distinguished name text. In this case the lastKnownParent is CN=Users,DC=Qtest,DC=cpqcorp,DC=net. This is the location of the user when it was deleted.


  6. In the Edit Entry Attribute field, enter distinguishedName.


  7. In the Values field, paste the lastKnownParent text. Then add the rest of the DN as needed for the object. In our example, we have to add CN=Forest Gump, (don't forget the comma). Note that this puts the user object back where it came from. You could modify the DN to put the object somewhere else. For instance we could specify OU=BubbaGump,CN=Forest Gump,DC=Qtest,DC=cpqcorp,DC=net to put Forest Gump in the BubbaGump OU.


  8. In the Operation area of the dialog, select the Replace radio button, and then hit the Enter button. Figure 4 shows the result. Note that if you mess up, you can delete any of the entries in the Entry List with the Remove button, and try it again.


  9. Make sure the Synchronous and Extended boxes at the bottom of the dialog are checked 9 (Figure 4), and then hit the Run button. You should get a message similar to that in Figure 5 indicating success. If you get an error in this operation, such as "unwilling to perform," check the entries in the Edit Entry list -- you probably have a Delete where it should be Replace -- or vice-versa. Note that in Figure 6, the user was reanimated but came back as disabled. Also note that like any tombstoned object, it doesn't come back with all the attributes, including group membership. This will have to be restored manually (or script).

Obviously, this method would be too laborious to do a hundred or so deleted users (authoritative restore could be used for that task), but to recover a few objects, it is quick, easy, hard to mess up and free! At least in my experience, if you don't get the information correct in the modify dialog, the operation fails. As far as I know -- and I've messed a few up -- it doesn't corrupt the object, although there is surely a way to do that.

So keep an eye on those shoot-from-the-hip administrators, but now you won't have a coronary when you hear them say, "Oops!"


Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. 

Dig Deeper on Windows systems and network management