Microsoft Reduce Customer Effort Center

Our team drives product feedback based on solid data, it drives proactive issue prevention and ultimately, drives improvements around products based on customer feedback.
Translate This Page
Options
Search Blogs
  • Advanced search options...
Tags
Archive
Archives

Using ADRestore tool to restore deleted objects

TechNet Blogs > Microsoft Reduce Customer Effort Center > Using ADRestore tool to restore deleted objects

Using ADRestore tool to restore deleted objects

14 Dec 2006 3:23 AM
  • Comments 8 
Have ever encountered the following scenarios? 
  • User accounts, groups, computers, OUs or other objects in domain accidentally deleted.
  • No system state backup available for authoritative restoration.
  • No other DC's available.
 When an object is deleted from Active Directory, it isn't actually removed but
is instead marked as deleted by an internal marker called a tombstone. 
If you have valid system state backup, you can refer to the following knowledge 

base article to restore the object: 
How to restore deleted user accounts and their group memberships in 
Active Directory
http://support.microsoft.com/?id=840001 
 In case you don’t have any system state backup, you can use ADRestore 
to restore tombstoned objects. ADRestore is a command-line utility that lists 
and lets you restore deleted Windows Server 2003 AD objects. 
You can use ADRestore to restore tombstoned objects without 
performing an authoritative backup restore. You can download the utility at:
 http://www.microsoft.com/technet/sysinternals/utilities/ADRestore.mspx 
 After you install ADRestore, you can restore an object by running 
the command ADRestore –r. ADRestore removes the 'isDeleted' TRUE attribute 
from tombstoned accounts and changes the RDN back to the previous path, 
effectively resurrecting it. 
 The -r tells ADRestore to prompt the user before restoring the AD objects
to their original location. When you run the command, 
you'll see messages similar to the following: 
ADRestore v1.1
by Mark Russinovich
Sysinternals - www.sysinternals.com
 Enumerating domain deleted objects:
 cn: mytest1
DEL:d7076a72-8020-44c8-b562-0c5b9132d7a5
distinguishedName: CN=mytest1\0ADEL:d7076a72-8020-44c8-b562-0c5b9132d7a5,
                             CN=Deleted Objects,DC=PYM1,DC=COM
lastKnownParent: OU=mytest\0ADEL:657cde20-9d7e-43f2-8700-ad72029d2aec,
                          CN=Deleted Objects,DC=PYM1,DC=COM
Do you want to restore this object (y/n)? y
 Restore succeeded.
 distinguishedName: OU=mytest\0ADEL:657cde20-9d7e-43f2-8700-ad72029d2aec,
                              CN=Deleted Objects,DC=PYM1,DC=COM
 lastKnownParent: DC=PYM1,DC=COM
 Do you want to restore this object (y/n)? y
 Restore succeeded.
 Found 2 items matching search criteria.
 Notes:
  •  By default, users are disabled and user passwords are empty after the above method is performed. Note that if you try to bulk enable objects and some of them have passwords which do not meet complexity/length requirements, you will not be able to re-enable them. Selecting one of them will show a more verbose error message in 2003. Your option then is to change their password or lower your password policy requirements.
  •  ADRestore cannot restore the group membership for a user. Meanwhile, not all attribute data can be restored.
  •    ADRestore is the last choice and we may use this method only when valid system state backup does not exist. Furthermore, ADrestore does not aim to substitute System state backup of domain controllers. It’s highly recommended to perform regular system state backup on domain controllers.
  • Also note that you can provide simple filters based on object names.  This command enumerates all objects with the string "comp" in the name (from ADRestore /?): 
                     ADRestore -r comp
,
Comments
Comments
  • Chris
    31 Jul 2007 5:08 AM

    ADRESTORE will restore only SID, ObjectGUID, LastKnownParent and SAMAccountName

    Reason

    ========

    When the object was deleted, all the attribute values except SID, ObjectGUID, LastKnownParent and SAMAccountName were stripped.

  • Natural Male Enhancement
    4 Mar 2008 5:32 AM

    Hello, of course I came to visit your site and thanks for letting me know about it.

    I just read this post and wanted to say it is full of number one resources. Some I am familiar with. For those who don’t know these other sites they are in for a treat as there is a lot to learn there.

  • Forefront & Security Blogs
    25 Jan 2009 6:32 AM

    Mitunter kann es passieren, dass man (versehentlich) eine OU im Active Directory löscht. Häufige Ursache

  • shekhar
    9 Feb 2009 2:31 AM

    hi

    i have one doubt about this command. can we perform this command in real time secnario

  • Ask the Core Team
    27 Apr 2009 7:32 AM

    Greetings once again from the support trenches here on the CORE team.   I want to talk a bit about

  • Taiwan CSS Platform Team
    17 Oct 2010 10:21 PM

    SYMPTOM ================== You tried to bring Network Name Resources online but could not, following

  • The Official SBS Blog
    31 Mar 2011 7:14 AM

    [Today's post comes to us courtesy of Shawn Sullivan from Commercial Technical Support] If you have ever

  • The Official SBS Blog
    31 Mar 2011 7:17 AM

    [Today's post comes to us courtesy of Shawn Sullivan from Commercial Technical Support] If you have ever

Page 1 of 1 (8 items)
Leave a Comment
  • Please add 3 and 7 and type the answer here:
  • Post