Sunday, October 23, 2016

Hello Friends, In this post i will discuss how you can retrieve deleted users from Active directory. When you delete an object(user/ OU) from Active directory , The IsDeleted attribute of that object is set to true and that object is moved to deleted object container.
The Distinguished name of the deleted object is changed. Every object in AD has a unique Distinguished name or DN which shows the location of that object in AD so when the object is deleted from AD then it’s DN is changed since it’s deleted from the current container and is put to Deleted object container hence a deleted object’s DN always points to Deleted object container. A deleted object will be kept in Deleted object container for the tombstone time period of that object, By default object in AD has a tombstone period of 180 days however you can change the default tombstone time period  to any custom value and this can achieved from adsiedit.msc. After the tombstone period the object will be deleted from AD in case AD recycle bin is not enabled. If the AD recycle bin is enabled then the deleted object will be moved from deleted object container to AD recycle bin. To summarize this i will give an example, let’s assume i have a user netadmin and the user is accidentally deleted from AD. Now the user will be moved to deleted object container  and will be kept in AD for it’s tombstone time period. The user will be deleted from AD after it’s tombstone period  in case if AD recycle bin is not enabled.
We can recover deleted user using ldp.exe tool. The first question that comes in mind is, what is ldp.exe ?
The answer of the above question in simple words will be ” ldp.exe is an utility to view,Search , Modify some of the objects of AD which can’t be viewed using the Administrative tools such as Active Directory users and Computers”.
Follow the below steps to recover a deleted user netadmin from Active Directory.
I had a user Netadmin in the Users OU , I have deleted the user accidentally.

Go to run and type ldp.exe,  You will be able to see the ldp.exe console which is totally blank. Go to connections tab on the top left hand corner of the window and click on connect. This will open up a window like this.

We will connect it to localhost and it does LDAP queries to fetch the information hence by default it will use port 389. Now After connecting it to a server , We need to bind it using an Authenticated credential. Click on Connections tab again and go to Bind, This will give you the below window. You can check the check box “Bind as currently logged on user” else you can explicitly give the Administrator’s credential and then hit ok.

Now once you hit ok, The LDAP query will use the credential given by you and will look like the below snapshot.

Click on the options tab and then go to controls sub menu, This will open a window

On the Load predefined drop down menu select return deleted objects and hit ok.
Now click on the View tab on ldp.exe window and go to tree sub menu which will open a new window and will ask you to select the tree view. On the drop down select DC=domain,DC=com and hit ok. I am attaching a snapshot of the same.

After selecting the tree view you will be able to see the deleted object container which contains the deleted netadmin user. Expand the Deleted Objects Container.

Expand the object which is deleted , here you see after expanding the netadmin, It says that Netadmin didn’t have any children object. Now right click on netadmin user and click on Modify, Which will open the below window.

In the Edit Entry Attribute menu type “Isdeleted” , Don’t type anything on the values menu and keep it blank. On the operation check box , Select delete and then hit Enter tab.In the Edit Entry Attribute menu type “DistinguishedName” and now on the values menu we need to enter the Distinguished Name of the deleted user(Previous DN before the deletion of the user). We can find this by looking at the Right hand side of the screen which shows the last Known parent of the deleted object , I have highlighted the same on the above screenshot. Now we need to type the DN of the deleted user hence add CN=username,and then the parent DN so the DN of the netadmin user will look like CN=netadmin,CN=Users,DC=shubh,DC=com , Remember don’t put any spaces in between the DN. On the Operation check box , Check replace and hit enter. Now the modify box should look like the below windows.

Click on the Run tab , The user will be recovered and you will be able to see the user under Active Directory users and Computers. Do let me know if you have any concerns recovering a user or understanding the whole concept.