Tuesday, June 10, 2008

Recovering AD Deleted Objects

I posted a script a few months ago that displays all deleted Active directory objects that are contained inside of the Delect Object container using Powershell. What I haven't shown is how to recover one of those items. There are several utilities that aid in the restoration process such as LDP, NTDSUTIL (Using an Authoritative Restore) and Sysinternal's AdRestore. But now with the excellent work of SDM Software (The "GPO Guy" Darren Mar-Elia and founder of SDM Software) the community now has 2 excellent Powershell cmdlets. Get-SDMADTombstone and Restore-SDMADTombstone. Another reason not to close that PowerShell console!!

I did however run into a problem after installing the MSI package with the cmdlets not registering so I had to run a few commands to register them manually. Remember this must be ran as Administrator or the registration will fail.

set-alias installutil $env:windir\Microsoft.NET\Framework\v2.0.50727\installutil
installutil -i "C:\Program Files\SDM Software\SDM Software AD Tombstone Cmdlets\ADTombstones.dll"

Once successfully registered you can now add them to the console for use with the below command or write the same command to your Powershell profile so you have them everytime you start PS.

Add-PSSnapin SDMSoftware.PowerShell.AD.Tombstones

Now we can get to work! Running Get-SDMADTombstone with no parameters will return all objects inside of the Deleted Objects container. You can filter your result with the -filter parameter.

Get-SDMADTombstone -Filter "DeleteME"

CN : VVDeleteME
DistinguishedName : CN=VVDeleteME\0ADEL:07ad8e5f-9169-48d0-afce-521fd4369199,CN=Deleted Objects,DC=mycompany,DC=com
Name : VVDeleteME
WhenCreated : 6/10/2008 9:04:26 PM
WhenChanged : 6/10/2008 9:35:29 PM
Description :
LastKnownParent : OU=Engineering,OU=Victorville,DC=mycompany,DC=com

CN : DeleteME
DistinguishedName : CN=DeleteME\0ADEL:ac6a9afe-2ab1-45f2-9e8e-b1c5065462e8,CN=Deleted Objects,DC=mycompany,DC=com
Name : DeleteME
WhenCreated : 6/10/2008 9:13:57 PM
WhenChanged : 6/10/2008 9:39:26 PM
Description :
LastKnownParent : OU=Engineering,OU=Victorville,DC=mycompany,DC=com

There is also a Domain parameter which lets you pass a domain name. Very helpful.

Restore-SDMADTombstone cmdlet was designed to be used in the pipeline so for example.

Get-SDMADTombstone -Filter "deleteme" | Restore-SDMADTombstone

Are you sure you want to perform this action?
Performing operation " To be Undeleted: " on Target "CN=VVDeleteME,OU=Engineering,OU=Victorville,DC=mycompany,DC=com".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):

There are however several drawbacks after restoration of a deleted object that you need to be aware of.

1. The computer or user account needs to be reenabled.

This is really not a drawback but needs to be done if you expect to just restore the object and log in right afterwards.

2. If the object is a user account the password needs to be reset.

Resetting the password to its old password or just a new password

3. MemberOf or Members need to be readded

This is probably the biggest drawback. Once an object is deleted, AD strips off any "Forward" or "Back Links", from the Group or User object. You will have to go back and re-add any groups the user was in or if it's a group your restoring you will have to add your members again. Again, there are tools to enumerate this list so you wont have to do this manually or can't remember all of the group members or vice versa. A simple google search of "LDIFDE" will provide you with adequate information on where to get and use this tool to accomplish this.

4. And finally, your object attributes will be wiped out.

For Example, if you had any data in the description, address, office, telephone number or logon script field you will have to go back and fill this in.


Darren Mar-Elia said...

Thanks Joel! You might want to check out today's blog post (www.sdmsoftware.com/blog) related to the cmdlets and work that Guido Grillenmeier has just done. I'm also working on a 1.1 version that adds some new filtering capabilities and exposes some additional properties. I also have designs on building the work that Guido has done in leveraging AD snapshots in Server 2008 into the cmdlet, so we'll see how that goes!
Thanks again.

Joel De La Torre said...

Thank you Darren. I will check that out. Once again, excellent work and I think I speak for everyone in saying thanks for helping all us Admins look smarter then we really are! 8)