Active Directory Object Recovery: Script Collection


Undoubtedly, many of you have repeatedly encountered such a problem - user accounts have been deleted. There are many articles on account recovery, and probably the best is written by Microsoft , but they all lack visibility. We will try to overcome this shortcoming by reducing the procedure for restoring accounts to simple steps.
As you know, you can restore objects in various ways, each of which is best suited in a given situation.
In this case, recovery from tombstone objects is preferable. There are several reasons for this:

  • No need to take the domain controller offline (all work, nothing is disabled)
  • recovering tombstones is much better than simply recreating a new version of a deleted object


Part of the attributes is deleted along with the removal of the object - they can no longer be restored. For example, membership in security groups.
If you re-create the object, it will always have the new attributes objectGUID and objectSid (if it is a member of a security policy, such as a user). As a result, any external object references, such as ACLs, will need to be updated to reflect the new object identifier. This can be a very big problem.
Therefore, in this post, we will first consider methods that use tombstone objects, and only at the end provides information on forced recovery. At the end of the post, we will discuss the capabilities of the NetWrix Active Directory Object Restore Wizard. Information for the post is taken from the document "Restoring Active Directory Objects: A Collection of Scripts," prepared by NetWrix. Interested parties are welcome to cat.


What needs to be restored: example



Given:
OU Finance_Department was deleted from acme.com domain with the accounts Oleg and Dmitry and the embedded OU Admins in which the Sergey account is located.
Task:
Restore the OU to all members (including the nested OU) and account attributes.

And this task will be solved in all possible ways.

1. Restore objects using ldp.exe


Procedure:
1) Turn on the display of deleted objects in the console (CN = Deleted Objects)
First, make sure that the deleted objects are displayed (by default, the CN = Deleted Objects container is not displayed. We use ldp.exe in Active Directory (requires membership in Domain Admins).
1. Launch ldp.exe. ( Start - Run - ldp.exe )
2. In the Options menu, select the Controls
item 3. In the dialog that appears, select the menu Load Predefined , select Return deleted objects in it and click OK
4. Check how the container of deleted objects is displayed:
a. To connect and bind to the server where the root domain of the Active Directory environment forest is located, in the Connections section, select Connect and click Bind .
b. Click Browse , select Structure and in the Distinguished Name (DN) field, enter DC =, DC =.
c. In the console tree, double-click the distinguished name (DN) of the root domain and find the container CN = Deleted Objects, DC = acme, DC = com.

Restoring objects:
Consider recovery using the example of the Oleg account, which is part of OU Finance_Department.

1) Run ldp.exe
2) In the Connections section, select Connect - Bind Connect and bind to the server on which the root domain of the Active Directory environment forest is located



3) In the console tree, go to the container CN = Deleted Objects (we also write DC = acme, DC = com for the domain taken as an example)
Search results
4) In the snap-in in the container CN = Deleted Objects , we right-click the object on it and select the Modify item .
5) In the Modify window, change the following parameters
a. In the Edit Entry field of the attribute, enter isDeleted
b. Leave the field Values empty
c. In the Operation section, select Delete and press the Enter
key d. In the Edit Entry Attribute field, enter distinguishedName
e. In the Values field, enter the initial distinguished name (DN) of this Active Directory object.
f. In the Operation section, select Replace.
g. Set the Extended flag , press the Enter key , and then Run.
The account has been restored but deactivated. You will need to enable it manually. It is also necessary to manually restore group membership and reset the password.
We repeat the same actions for the remaining objects:
OU Finance_Department
OU Admins of the
Dmitry
account of the Sergey
account
Summary:
There are a lot of steps to do before the object is restored.
All actions will have to be repeated for each of the deleted objects.


2. Use ADRESTORE



Recovering tombstones using LDP is easy. However, uncomfortable and long. For these purposes, there is ADRESTORE , which is designed specifically for restoring AD objects.

The utility works in two modes:
Launch without parameters . It will list all the tombstones in the default CN = Deleted Objects container of the domain. You can add a search string on the command line to select objects to display:

C:\> adrestore Finance_Department   


All objects in the CN = Deleted Objects container that contain the string "Finance_Department" in the CN or OU attribute are displayed - the LDAP search filter cn = * Finance_Department * and ou = * Finance_Department * are used. The image below shows the results of the search returned by ADRESTORE.



Restoring objects
If you want to restore a burial object, and not just find it, you must specify the –r parameter along with an additional line, for example, like this:

C:\> adrestore –r Finance_Department


To restore accounts, use the commands:

C:\> adrestore –r Oleg
C:\> adrestore –r Dmitry
C:\> adrestore –r Admins
C:\> adrestore –r Sergey


The team will offer to restore each satisfying condition-burial object. The object is restored to the container specified by the lastKnownParent attribute of the tombstone (and no other).
This command will offer to restore each suitable burial object. ADRESTORE always restores an object to the container indicated by the lastKnownParent attribute of the tombstone; there is no way to specify another container.

Bottom line:
ADRESTORE is easier to use than LDP.
The utility allows you to relatively quickly restore objects, but again without the necessary attributes - group membership and passwords will have to be manually restored. One of the most popular ways to recover objects.


3. Using AD Recycle Bin (Windows Server 2008 R2)



Active Directory Recycle Bin (AD RB) has Windows Server 2008 R2. To activate it, you must have Windows Server 2008 R2 as the forest level. AD RB resembles an ordinary Windows recycle bin - an accidentally deleted object can be quickly restored with all attributes. Moreover, the object restored from AD RB immediately receives all its attributes. By default, the “lifetime” of a remote object in AD RB is 180 days, after which it enters the Recycle Bin Lifetime state, loses attributes, and after some time is completely deleted.
In the simplest case, object recovery is performed using the Powershell cmdlets Get-ADObject and Restore-ADObject (in the event that you know exactly what you need to restore). The Get-ADObject cmdlet is used to retrieve a remote object, which is then piped to the Restore-ADObject cmdlet :
1. Run the Active Directory Module for Windows PowerShell as administrator .
2. At the Active Directory module for Windows PowerShell command prompt, enter the following command:

PS C:\> Get-ADObject -Filter {displayName -eq "user"} -IncludeDeletedObjects | Restore-ADObject


In this example,
-Filter {displayName -eq "user"} indicates that what information about the AD object is to be obtained (in the example, about the object with the display username "user),
-IncludeDeletedObjects means that the search is performed on deleted
Restore-ADObject objects
It directly repairs the AD object.
Search for deleted objects
1. Run Active Directory for Windows PowerShell as
administrator 2. At the Active Directory module for Windows PowerShell command prompt, enter the following commands to obtain the necessary information:

Listing deleted objects in acme.com

Get-ADObject -SearchBase "CN=Deleted Objects,DC=acme,DC=com"  –IncludeDeletedObjects 


Get information about what OU the remote user was in

Get-ADObject -SearchBase "CN=Deleted Objects,DC=acme,DC=com" -ldapFilter:"(msDs-lastKnownRDN=User)" –IncludeDeletedObjects –Properties lastKnownParent

Where User is the display name of the user
As a result, we get information about the OU membership of the specified user (using -Properties lastKnownParent )
Search for all deleted objects that were in this OU
As an example, take the distinguished name OU Finance_Department that was received after the previous cmdlet ( Finance_Department \ 0ADEL: e954edda-db8c-41be-bbbd-599bef5a5f2a).

Get-ADObject –SearchBase "CN=Deleted Objects,DC=acme,DC=com" -Filter {lastKnownParent -eq 'OU=Finance_Department\\0ADEL:e954edda-db8c-41be-bbbd-599bef5a5f2a,CN=Deleted Objects,DC=acme,DC=com'} -IncludeDeletedObjects -Properties lastKnownParent | ft


Attention! If you have a nested OU, recovery is performed starting at the highest hierarchy level. In this case, this is OU = Finance_Department.

Restoring objects
1. Run the Active Directory module for Windows PowerShell
2. Restore the Finance_Department unit by running the following command at the command prompt:

Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=Finance_Department)" –IncludeDeletedObjects | Restore-ADObject


3. Restore accounts and OUs that are direct children of OU Finance_Department (remember that at this stage the distinguished name Finance_Department is already restored to OU = Finance_Department, DC = acme, DC = com)

Get-ADObject -SearchBase "CN=Deleted Objects,DC=acme,DC=com" -Filter {lastKnownParent -eq "OU=Finance_Department,DC=acme,DC=com"} -IncludeDeletedObjects | Restore-ADObject


Optional (recovery of embedded OUs)
4. We restore accounts that are part of the embedded OU (for example, OU Admins, which is part of the OU Finance Department. The distinguished name in our example was restored to OU = Admins, OU = Finance_Department, DC = acme , DC = com)

Get-ADObject -SearchBase "CN=Deleted Objects,DC=acme,DC=com" -Filter {lastKnownParent -eq "OU=Admins,OU=Finance_Department,DC=acme,DC=com"} -IncludeDeletedObjects | Restore-ADObject


Detailed help about the cmdlets and their parameters by calling the Get-Help cmdlet , for example Get-Help Get-ADObject
Summary:
Objects will be restored to their original form with all attributes.
However, as we can see, this method is quite complicated when you have to work with a large number of objects.
Also required, all servers in the forest must be Windows 2008 R2.
You can use the LDP and AdRestore tools described above to restore objects with attributes with the AD bucket turned on.


4. Forced recovery using NTDSUTIL



The standard method (but, however, not the most suitable) is to force recovery from a backup in Directory Service Restore Mode . It has serious drawbacks: you need to restart the server, and secondly, restore the state of the system from the backup and mark which objects will not be overwritten by the replication process.
Recovery is performed using the NTDSUTIL command-line utility . The utility becomes available after installing the AD DS role. Using it, you can restore both OU with all contents and a separate object.
The utility is based on snapshots (snapshots) of Active Directory, which are made using the VSS service.

Attention! During AD forced recovery, the internal version number of the objects being restored is increased. After the domain controller is connected to the network, these objects will be replicated throughout the domain, and the restored version will become globally valid.

Procedure:
1. We need to restore OU Finance_Department from the acme.com domain
2. Boot
into DSRM mode (called up by pressing F8 in the boot menu) and register with the password DSRM set during Dcpromo's operation . AD does not load, the database is taken offline.

Attention! Recovery cannot be performed if NTDS AD is stopped on Server 2008 domain controllers and above.

3. Restore the system state from the backup created before the accident.

Attention! Do not restart the computer.

The ntdsutil snapshot contains both the object and its attributes. The image can be mounted and mounted as a virtual LDAP server exporting objects. We start ntdsutil :

> ntdsutil
ntdsutil: snapshot


We look through the list of available pictures:

снимок: list all


1: 2009/04/22: 23: 18 {8378f4fe-94c2-4479-b0e6-ab46b2d88225}
2: C: {732fdf7f-9133-4e62-a7e2-2362227a8c8e}
3: 2009/04/23: 00: 19 {6f7aca49 -8959-4bdf-a668-6172d28ddde6}
4: C: {cd17412a-387b-47d1-9d67-1972f49d6706} We

mount the mount command with the number or {ID}:

снимок: mount 4
Снимок {cd17412a-387b-47d1-9d67-1972f49d6706} установлен как C:\$SNAP_200904230019_VOLUMEC$\


The picture is mounted.

4. Run the
To restore Finance_Department unit.

> ntdsutil "authoritative restore" "restore subtree ou=Finance_Department,dc=acme,dc=com" q q


As a result, OU Finance_Department with the accounts included in it and the embedded OU Admins will be restored.
To restore a separate account, for example, with the display name Oleg

> ntdsutil "authoritative restore" "restore object cn=Oleg,ou=Finance_Department,dc=acme,dc=com" q q


5. Confirm safety warnings. Then a message similar to the one shown in Figure 3 will be displayed. Pay attention to the generated text and LDIF files.



Reboot the DC in normal operating system startup mode.
7. Log on to DC and open a command prompt. Import the LDIF file exported in step 5 by running the command

ldifde -i -f
ar_20110221-151131_links_contoso.com.ldf


where ar_20110221-151131_links_contoso.com.ldf is the name of the created LDIF file.
8. В результате будут импортированы значения связанных атрибутов (такие, как членство в группах) для восстановленных объектов

Attention! If the forest contains multiple domains, you must use the text file exported in step 6 to restore membership in the local groups of other domains.

Bottom line:
Accounts and objects were restored, but the Active Directory database was unavailable for a certain period of time. You also depend on the availability of current AD databases, relying on this recovery method.


5. NetWrix Active Directory Object Restore Wizard



The process of restoring objects can be greatly simplified by using the NetWrix Active Directory Object Restore Wizard .
Just want to note that our company is constantly contacted by administrators who deleted AD objects and now want to restore them. The solution we propose - NetWrix Active Directory Object Restore Wizard - although it simplifies the process of restoring objects (for example, restoring OU with all objects and their attributes in a couple of clicks), it still does not work wonders - the program must be installed in the domain and periodically done AD snapshots. Therefore, we recommend that after reading the article, still put the program to work (there is a free version with a recovery period of the last 4 days) so that the next time you do not experience such problems with restoring objects.
The utility allows you to recover deleted objects in a couple of clicks, and if the program worked before deleting objects in the domain, then recovery occurs with all attributes. As a result, you get returned accounts in a couple of minutes without serious disruption to the organization. It should also be noted that the program allows you to recover deleted mailboxes.

Work with the program is reduced to the following steps:
1. The NetWrix Active Directory Object Restore Wizard starts.



2. The recovery mode is
selected :
• Only from tombstone objects (if the program has not been installed before in the domain)
• Recovery using snapshots (if the program was installed and at least one snapshot was made)
3. Based on the analysis results, a list of deleted objects with their original hierarchy and objects is displayed
4. Select the OU or objects that you want to restore, and click Next
5. Depending on whether the program was installed earlier or not:
• If it wasn’t, then it is necessary to manually restore group membership and user passwords
• If the program was installed, then the restoration is complete and everything will work as if nothing had happened .



As you can see, object recovery takes much less time than using regular Active Directory object recovery tools.
But restoring objects is only one aspect of the program. You can also roll back changes to objects - up to the value of one attribute - the program is designed for this.

Bottom line:
Restoring objects with attributes comes down to a couple of simple steps. It is possible not only to restore objects, but also to roll back only some of their values.


All these recovery methods are given in the “First Aid Kit for Restoring AD Objects,” which you can download on our website.