This is post we are going to look at restoring an Active Directory AD user account using LDAP.
In terms of data recovery, tombstone reanimation has great advantages. Tombstone reanimation doesn’t require the DC to be taken offline and reanimating tombstones is much better than simply recreating a new version of a deleted object.
If you recreate an object, it will always get new objectGUID and objectSid attributes. As a result, any external references to the object, such as ACLs, will have to be updated to reflect the new identity. This can be a major pain and is best avoided.
If your forest functional level is 2008 R2 or higher, you can enable AD Recycle Bin as a means of restoring deleted AD objects – However it has to be setup before you deleted the AD object.
If you want to restore using PowerShell – check out my guide here.
In this example I am going to delete the user account ‘Bill Bob’ and show you how I restored it:
Open LDP.exe as an administrator
Once open click Connection, click Connect, type your servers name and port. LDAP uses port 636 or 389.
Click Connection, click Bind, and type the Administrator account and password.
Click Options menu, click Controls.
On Load Predefined, select Return deleted objects.
This option will show the Deleted Objects container that is hidden by default.
Click View, click Tree, and then select the distinguished name of the domain name.
On the left double click, select DC=plebs,DC=local.
Then expand the Deleted Objects container, and find the deleted object (Bill Bob).
Right click on the object, then click Modify.
In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter.
Then type distinguishedName in the Attribute field, then type the original distuiguished name of the user in the Values field, CN=Bill Bob,OU=PlebUsers,DC=plebs,DC=local. You can restore to a different DN location.
Under operation, click Replace, and then click Enter.
Select the Extended check box, and then click Run.
Now you restored the object it will be in Active Directory.
If you are getting LDP errors such as –
LOperation failed. Error code: 0x57
DAP: error code 12 – Unavailable Critical Extension
Go back into Options and Controls, double click on one of the Active Controls and check it in. Whilst also making sure Load Predefined is set to ‘Returned deleted objects’ then try again. I have experienced random errors at times when there are more than one active control, that took a little playing around in the Controls area to resolve.
Otherwise if no errors appear – check AD and see if the user is now back in it’s original OU.
However the results aren’t perfect, the account will be stripped of all attributes. The account will need a password and to be re-enabled.
However, NTFS and share permissions will still be intact.
Hope this is helpful!