Tips and Tricks

Active Directory Single Object Restore

When you accidentally delete an Active Directory object, can you bring it back without performing an authoritative restore on the entire directory? This tip shares a little known service built right into AD that you'll want to know about.

It’s unfortunate, in a way, that Microsoft didn’t build a Recycle Bin into Active Directory Users and Computers. Actually, if it had, it would probably constitute a security risk we could all live without. Still, it would be convenient for those times when you accidentally delete an AD object—like a user account.

Keep in mind how an AD object deletion works: The domain controller (DC) on which you deleted it doesn’t actually remove the object. Instead, it tombstones it, effectively putting a big red “X” on it. That tombstone replicates throughout the domain until all the DCs have the object marked as deleted. The object can’t be undeleted at that point, and it’ll go away permanently after about 60 days. There’s no “undo” in AD Users and Computers, either, and thanks to AD’s efficient replication, you can’t even quickly rip the DC’s network cable out of the hub—once it gets back on the LAN, that tombstone’s going to be replicated.

Does that mean you have to perform an authoritative restore of the entire directory, potentially undoing other recent additions, changes and deletions? Not at all. Although nobody makes a big deal of it, Microsoft built a perfectly serviceable single-object restore capability right into AD.

Getting Authoritative, One Object at a Time
You’ll obviously need a recent backup that contains the object you want to restore. This should be a standard System State backup from any DC in your domain. You’ll need to perform the single-object restore on the same DC used to make the backup. Once the prerequisites are covered, restart the DC in question into its Directory Services Restore Mode. Log in using the appropriate administrative credentials, and then run the Ntdsutil utility. Then, type “authoritative restore” and press Enter.

Here’s the tough part: You’ve got to tell Ntdsutil the exact Fully Qualified Domain Name (FQDN) of the object you want to restore. For example, you might enter:

restore subtree “cn=John Doe,ou=Operations,dc=mycompany, dc=com”

to restore a user named John Doe, whose user account was in the Operations organizational unit of the my domain. You could type:

restore subtree “ou=Operations,dc=mycompany,dc=com”

to restore the entire Operations OU.

Things get a bit trickier if you want to restore a group. Before doing so, make sure that every user who’s supposed to be a member of the group is present in the domain, restoring users first if necessary. Then (and only then) can you restore the group.

Once you’re done restoring objects, restart the DC. It’ll start replicating the change to the other DCs in the domain; before you know it, your mistake will be a thing of the past. The magic is in the way AD performs authoritative restores. Remember the tombstone that got put onto the object when you deleted it? That tombstone caused the object’s internal version number to increment on the DC that processed the deletion. That higher version number, in turn, is what caused the other DCs on the domain to replicate the tombstone—they had an older version of the object and simply wanted to upgrade. When you performed the authoritative restore, however, the object’s version number was incremented by several hundred, making it the latest and greatest thing in the domain. Every DC will latch onto the upgraded object, effectively erasing the tombstone and bringing the object back from the dead.

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Mon, Aug 8, 2011 Jesse New York City

In my experience, native windows rollback capabilities are weak. The recycle bin only works on objects residing in AD (doesn’t work for GPOs residing on a disk), and it’s just not very intuitive. It’s worth looking into utilities like the ones suggested by Thuderfoot below—I can recommend both netwrix ad object restore wizard and quest object restore for AD. Both allow more granular and complete rollback abilities.

Tue, Jun 2, 2009 Jeff Overall

ADRecycleBin.exe (Active Directory Recycle Bin) allows administrators to quickly restore deleted Active Directory objects via an easy to use GUI. This is a free Active Directory Recycle Bin tool.

Fri, May 4, 2007 Thunderfoot Washington, D.C.

There are utilities now that do this online (see and netpro)

Fri, Jun 3, 2005 Natarajan Banagalore

It's really helps me to know windows 2000 server advantages better.

Tue, May 18, 2004 Jocco Anonymous

Generally speaking, group policies are linked to an OU or Site so re-linking them is not a big deal. The 31B and 61A policies (Domain and DC respectively) are special MS created default policies and should never be deleted or recreated. Every domain carries the same two default policies with the same GUID, take a look... NEVER copy a policy into the Sysvol folder as this will in most instances create a second copy of what exists in other Sysvol folders and FRS will replicate that out and rename the existing files to "FolderName_NTFRS_" and require another round of repairs to the FRS replication and Sysvol replica set.

Thu, Oct 9, 2003 Anonymous Anonymous

quotes don't make a difference in the LDAP path use them or not

Thu, Oct 9, 2003 Anonymous Anonymous

Don is showing a Lightweight Directory Access Protocol (LDAP) path, but calling it a Fully Qualified Domain Name (FQDN). When you do an authoritative restore, you need to use an LDAP path as shown. Further, you need to actually run NTBACKUP to restore the data after starting in Directory Services Restore Mode (as mentioned in the previous comment). Another thing I find interesting is the quotes. Seems to me that the quotes are only needed when you want to restore a single object. Typically, you don't need the quotes to restore an OU and all subordinate objects.

Wed, Oct 8, 2003 Anonymous Anonymous

this is something most Windows 2000 admins already know. Important note for those who don't, the author forgets to mention that you must "restore your System State data" before trying to run ntdsutil

Sat, Sep 13, 2003 Nitesh Anonymous

I guess a small part is missed out in this article. There are certain Active Directory objects such as OUs, domains and Site objects that have associated group Policies with them. If you want to restore a deleted object that has a policy associated, you also need to authoritatively restore the group policy, located in the SYSVOL folder. This is done by restoring them on an alternate location and then copying them in the SYSVOL folder after it is published.

Wed, Jul 2, 2003 Anonymous Anonymous

very useful time saving tip

Tue, Jul 1, 2003 Anonymous Anonymous

Very helpful

Mon, Jun 30, 2003 Anonymous Moscow

You may use Aelita ERDisk to perform single object restore. Enjoy!

Fri, Jun 27, 2003 Anonymous Anonymous

I am glad to know how to restore an object now

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.