Undeleting Deleted Items in Active Directory
Friday afternoon I received a call from a coworker who was getting an Access Denied error when she would try to print to a particular network printer. Sure enough upon inspection of the printer’s ACL I found that one of our organization’s most important Security Groups had been deleted (how that happened is another story).
Because ACLs in AD environments are based on the SID, or Security Identifier, of an object rather than it’s name, you can’t just create a new object with the same name and expect things to work. They won’t. So how do you recover the original object?
Microsoft did not see fit to give Active Directory a Recycle Bin, but they did build in a feature called the Tombstone Lifetime. When an Active Directory object is deleted the object is actually moved to a hidden container called deleted objects and it stays there for the number of days specified by the tombstone lifetime.
Using the LDAP client built into Windows Server you can restore an object that is stuck in limbo between being deleted and wiped out permanantly when it’s tombstone lifetime expires. The video below illustrates how to do it far better than I ever could.
One final note: restoring a deleted object will not restore all of it’s properties. For example when restoring a Group object the group’s membership is lost. The important part is that the object is restored with the same SID, so after you manually restore it’s members existing Access Control Lists will function as expected.
Don’t Call Me!
I'm currently not accepting any new clients. What can I say? I got bored chasing that next dollar and decided to focus on family, friends, and hobbies.
If you are looking for website hosting I highly recommend A2Hosting.
If you are seeking website design and development services please contact Marc Laucks and Company. They're truly top-notch and focused on customer satisfaction.
If you're looking for tech support please browse my site and if you don't find an answer feel free to contact me. If I know the solution I'll share it, and if your problem is unique enough I may just cover it in a tutorial!
- Active Directory
- Basic Concepts
- Crash Course: Home PC Maintenance
- Get Help
- LAN Administration
- Microsoft Security Essentials
- OS Deployment
- Product Reviews
- RoundCube WebMail
- Server 2008
- Site News
- Software Updates
- Web Browsing
- Web Design
- Windows 8