Hello Friends, In this post i will discuss how
you can retrieve deleted users from Active directory. When you delete an
object(user/ OU) from Active directory , The IsDeleted attribute of that object
is set to true and that object is moved to deleted object container.
The Distinguished name of the deleted object is changed. Every object in AD has a unique Distinguished name or DN which shows the location of that object in AD so when the object is deleted from AD then it’s DN is changed since it’s deleted from the current container and is put to Deleted object container hence a deleted object’s DN always points to Deleted object container. A deleted object will be kept in Deleted object container for the tombstone time period of that object, By default object in AD has a tombstone period of 180 days however you can change the default tombstone time period to any custom value and this can achieved from adsiedit.msc. After the tombstone period the object will be deleted from AD in case AD recycle bin is not enabled. If the AD recycle bin is enabled then the deleted object will be moved from deleted object container to AD recycle bin. To summarize this i will give an example, let’s assume i have a user netadmin and the user is accidentally deleted from AD. Now the user will be moved to deleted object container and will be kept in AD for it’s tombstone time period. The user will be deleted from AD after it’s tombstone period in case if AD recycle bin is not enabled.
The Distinguished name of the deleted object is changed. Every object in AD has a unique Distinguished name or DN which shows the location of that object in AD so when the object is deleted from AD then it’s DN is changed since it’s deleted from the current container and is put to Deleted object container hence a deleted object’s DN always points to Deleted object container. A deleted object will be kept in Deleted object container for the tombstone time period of that object, By default object in AD has a tombstone period of 180 days however you can change the default tombstone time period to any custom value and this can achieved from adsiedit.msc. After the tombstone period the object will be deleted from AD in case AD recycle bin is not enabled. If the AD recycle bin is enabled then the deleted object will be moved from deleted object container to AD recycle bin. To summarize this i will give an example, let’s assume i have a user netadmin and the user is accidentally deleted from AD. Now the user will be moved to deleted object container and will be kept in AD for it’s tombstone time period. The user will be deleted from AD after it’s tombstone period in case if AD recycle bin is not enabled.
We can recover deleted user using ldp.exe
tool. The first question that comes in mind is, what is ldp.exe ?
The answer of the above question in simple
words will be ” ldp.exe is an utility to view,Search , Modify some of the
objects of AD which can’t be viewed using the Administrative tools such as
Active Directory users and Computers”.
Follow the below steps to recover a deleted
user netadmin from Active Directory.
I had a user Netadmin in the Users OU , I have deleted the user accidentally.
I had a user Netadmin in the Users OU , I have deleted the user accidentally.
Go to run and type ldp.exe, You
will be able to see the ldp.exe console which is totally blank. Go to
connections tab on the top left hand corner of the window and click on connect.
This will open up a window like this.
We will connect it to localhost and it does
LDAP queries to fetch the information hence by default it will use port 389.
Now After connecting it to a server , We need to bind it using an Authenticated
credential. Click on Connections tab again and go to Bind, This will give you
the below window. You can check the check box “Bind as currently logged on
user” else you can explicitly give the Administrator’s credential and then hit
ok.
Now once you hit ok, The LDAP query will use
the credential given by you and will look like the below snapshot.
Click on the options tab and then go to
controls sub menu, This will open a window
On the Load predefined drop down menu select
return deleted objects and hit ok.
Now click on the View tab on ldp.exe window and go to tree sub menu which will open a new window and will ask you to select the tree view. On the drop down select DC=domain,DC=com and hit ok. I am attaching a snapshot of the same.
Now click on the View tab on ldp.exe window and go to tree sub menu which will open a new window and will ask you to select the tree view. On the drop down select DC=domain,DC=com and hit ok. I am attaching a snapshot of the same.
After selecting the tree view you will be able
to see the deleted object container which contains the deleted netadmin user.
Expand the Deleted Objects Container.
Expand the object which is deleted , here you
see after expanding the netadmin, It says that Netadmin didn’t have any children
object. Now right click on netadmin user and click on Modify, Which will open
the below window.
In the Edit Entry Attribute menu type “Isdeleted”
, Don’t type anything on the values menu and keep it blank. On the operation
check box , Select delete and then hit Enter tab.In the Edit
Entry Attribute menu type “DistinguishedName” and now on the values menu
we need to enter the Distinguished Name of the deleted user(Previous DN before
the deletion of the user). We can find this by looking at the Right hand side
of the screen which shows the last Known parent of the deleted object , I have
highlighted the same on the above screenshot. Now we need to type the DN of the
deleted user hence add CN=username,and then the parent DN so the DN of the
netadmin user will look like CN=netadmin,CN=Users,DC=shubh,DC=com , Remember
don’t put any spaces in between the DN. On the Operation check box , Check replace
and hit enter. Now the modify box should look like the below windows.
Click on the Run tab , The user will be
recovered and you will be able to see the user under Active Directory users and
Computers. Do let me know if you have any concerns recovering a user or
understanding the whole concept.
