In this post we are going to look at the different ways you can restore Active Directory objects, such as User Accounts, Groups, Computers and OUs using Restore-ADObject in PowerShell.

View Deleted Objects:

Firstly this command will show you a list of all deleted objects:

Get-ADObject -Filter ‘isDeleted -eq $True -and name -ne “Deleted Objects”‘ -IncludeDeletedObjects -Properties *

(I have found that in some environments with a large amount of deleted objects this doesn’t display any results)

As shown in the image above, a lot of information is shown. To refine the search to show only the information you are going to need you can format the results by piping the below Format-List attribute at the end.

| Format-List samAccountName,displayName,lastknownParent

Or alternatively you can export the results to CSV:

$GetDeleted = Get-ADObject -Filter ‘isdeleted -eq $true -and name -ne “Deleted Objects”‘ -includeDeletedObjects -property DistinguishedName,isDeleted,whenChanged,lastknownparent

$GetDeleted | export-csv C:\deleted.csv -NoTypeInformation

If you get a PowerShell error try:

$GetDeleted = Get-ADObject -Filter {(isdeleted -eq $true)} -includeDeletedObjects -property DistinguishedName,isDeleted,whenChanged,lastknownparent

$GetDeleted | export-csv C:\deleted.csv -NoTypeInformation

Single Object Restore –

For a simple one object restore use:

Get-ADObject -Filter ‘samaccountname -eq “UserLogonName“‘ -IncludeDeletedObjects | Restore-ADObject

If you receive any errors with the command above, try this:

$User = “UserLogonName”
Get-ADObject -filter ‘samaccountname -eq $User’ -IncludeDeletedObjects -properties * | Foreach-Object {Restore-ADObject $_.objectguid -NewName $_.samaccountname -TargetPath $_.LastKnownParent}

For multiple restores –

Firstly you can use the command below – It will restore any items deleted after a specified date and time.

#This variable stores the output of the Datetime conversion for 1:40:00 AM, August 22, 2009.
$time = New-Object Datetime(2009, 8, 22, 1, 40, 00)
Get-ADObject -filter 'whenChanged -gt $time -and isDeleted -eq $true' -IncludeDeletedObjects -properties * | Foreach-Object {Restore-ADObject  $_.objectguid -NewName $_.samaccountname -TargetPath $_.LastKnownParent}

A video demonstration showing the results –

Restore multiple from .txt or .csv file:

ForEach ($SamAccountName in Get-Content "C:\Samaccounts.txt"){
$user = $SamAccountName 
Get-ADObject -Filter {samaccountname -eq $user} -IncludeDeletedObjects -Properties * | ForEach-Object {Restore-ADObject $_.objectguid -NewName $_.samaccountname -TargetPath $_.LastKnownParent}
}

Restoring all objects in a deleted OU and the OU itself:

To restore a child OU or the contents of an OU you must restore hierarchically, this means the parent object must be restored before a child object. So if I was to delete an entire OU and all its contents, I must first restore the OU before I can restore its contents.

In this example I am going to delete the OU PlebUsers –

To see the deleted objects – (unfortunately the lastknownRDN wasn’t showing ‘PlebUsers’ in this example)

Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -properties * | ft msDS-LastKnownRDN,lastKnownParent -AutoSize

Now to restore the OU (Organizational Unit) –

Note the lastKnownParentRDN attribute for the deleted users is the deleted OU distinguished name. If I try to restore those child objects, nothing will happen as their parent is deleted. What I need to do is restore the PlebUsers OU first; to do that I will specify the OU’s last known RDN and its last known parent:

Get-ADObject -filter ‘msds-lastKnownRdn -eq “PlebUsers” -and lastKnownParent -eq “DC=plebs,DC=local“‘ -includeDeletedObjects | Restore-ADObject

Now the OU is restored you are clear to start restoring the user accounts by using one of the commands highlighted above.

If errors occur –

Run the command below to get the ObjectGUID of deleted OU:

Get-ADObject -filter ‘isdeleted -eq $true -and name -ne “Deleted Objects” -and ObjectClass -eq “organizationalUnit”‘ -includeDeletedObjects -property * | ft Name,ObjectClass,ObjectGuid -Wrap

Now Restore the OU by using the command below –

Get-ADObject -Filter ‘ObjectGUID -eq “169ad379-70a1-4d45-8de9-ef1417048338“‘ -IncludeDeletedObjects | Restore-ADObject -NewName “PlebUsers“

Once the OU is back, you are free to restore the Users using one of the many PowerShell commands highlighted in this post.

Congratulations – you should now be able to handle the majority of situations involving the accidental deletion of AD Users, Groups or OUs!

Thanks for reading – feel free to follow and stay updated 🙂  View sysadminguides’s profile on Facebook View GuidesSysadmin’s profile on Twitter View 115372466162675927272’s profile on Google+