Поделиться через


Using ADRestore tool to restore deleted objects

 Have ever encountered the following scenarios? 
  • User accounts, groups, computers, OUs or other objects in domain accidentally deleted.
  • No system state backup available for authoritative restoration.
  • No other DC's available.
  When an object is deleted from Active Directory, it isn't actually removed but
is instead marked as deleted by an internal marker called a tombstone. 
If you have valid system state backup, you can refer to the following knowledge 

base article to restore the object: 
 How to restore deleted user accounts and their group memberships in 
Active Directory
https://support.microsoft.com/?id=840001 
  In case you don’t have any system state backup, you can use ADRestore 
to restore tombstoned objects. ADRestore is a command-line utility that lists 
and lets you restore deleted Windows Server 2003 AD objects. 
You can use ADRestore to restore tombstoned objects without 
performing an authoritative backup restore. You can download the utility at:
  https://www.microsoft.com/technet/sysinternals/utilities/ADRestore.mspx 
  After you install ADRestore, you can restore an object by running 
the command ADRestore –r. ADRestore removes the 'isDeleted' TRUE attribute 
from tombstoned accounts and changes the RDN back to the previous path, 
effectively resurrecting it. 
  The -r tells ADRestore to prompt the user before restoring the AD objects
to their original location. When you run the command, 
you'll see messages similar to the following: 
 ADRestore v1.1
by Mark Russinovich
Sysinternals - www.sysinternals.com
  Enumerating domain deleted objects:
  cn: mytest1
DEL:d7076a72-8020-44c8-b562-0c5b9132d7a5
distinguishedName: CN=mytest1\0ADEL:d7076a72-8020-44c8-b562-0c5b9132d7a5,
                             CN=Deleted Objects,DC=PYM1,DC=COM
lastKnownParent: OU=mytest\0ADEL:657cde20-9d7e-43f2-8700-ad72029d2aec,
                          CN=Deleted Objects,DC=PYM1,DC=COM
 
 Do you want to restore this object (y/n)? y
  Restore succeeded.
  distinguishedName: OU=mytest\0ADEL:657cde20-9d7e-43f2-8700-ad72029d2aec,
                              CN=Deleted Objects,DC=PYM1,DC=COM
 lastKnownParent: DC=PYM1,DC=COM
  Do you want to restore this object (y/n)? y
  Restore succeeded.
  Found 2 items matching search criteria.
  Notes: 
  • By default, users are disabled and user passwords are empty after the above method is performed. Note that if you try to bulk enable objects and some of them have passwords which do not meet complexity/length requirements, you will not be able to re-enable them. Selecting one of them will show a more verbose error message in 2003. Your option then is to change their password or lower your password policy requirements.
  •  ADRestore cannot restore the group membership for a user. Meanwhile, not all attribute data can be restored.
  •    ADRestore is the last choice and we may use this method only when valid system state backup does not exist. Furthermore, ADrestore does not aim to substitute System state backup of domain controllers. It’s highly recommended to perform regular system state backup on domain controllers.
  • Also note that you can provide simple filters based on object names. This command enumerates all objects with the string "comp" in the name (from ADRestore /?):
                      ADRestore -r comp

Comments

  • Anonymous
    January 01, 2003
    [Today's post comes to us courtesy of Shawn Sullivan from Commercial Technical Support] If you have ever

  • Anonymous
    January 01, 2003
    SYMPTOM ================== You tried to bring Network Name Resources online but could not, following

  • Anonymous
    January 01, 2003
    Greetings once again from the support trenches here on the CORE team.   I want to talk a bit about

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Very helpful

  • Anonymous
    January 01, 2003
    [Today's post comes to us courtesy of Shawn Sullivan from Commercial Technical Support] If you have ever

  • Anonymous
    January 01, 2003
    Really very informative article, thanks for sharing this information regarding to restore deleted objects from Active Directory. I found good information fromhttp://www.lepide.com/lepideauditor/active-directory-control.html which gets the ability to restore active directory to the previous state and track all changes made to Active Directory and at the same time.

  • Anonymous
    July 31, 2007
    The comment has been removed

  • Anonymous
    March 04, 2008
    Hello, of course I came to visit your site and thanks for letting me know about it. I just read this post and wanted to say it is full of number one resources. Some I am familiar with. For those who don’t know these other sites they are in for a treat as there is a lot to learn there.

  • Anonymous
    February 09, 2009
    hi i have one doubt about this command. can we perform this command in real time secnario

  • Anonymous
    September 09, 2014
    Restoring deleted ad objects now very easy. Active directory manager tool provides more opts within it for restore..

    Have a try . http://adsysnet.com/downloads.aspx