In this article, I’ll show you how to restore deleted Active Directory user accounts. You can recover deleted AD Users without a backup by using native Microsoft Tools. There are two options when restoring with native tools and there is a huge difference that you must know.
In this article.
- Must Read! Important details about Deleted AD Users
- Option 1. Restore AD User without AD Recycle Bin Enabled (using PowerShell)
- Option 2. Restore AD user using the AD Recycle Bin
- Option 3. Restore AD user using AD Pro Toolkit
Must Read! Important Details about Deleted AD Users
- If you have deleted users and then enabled the AD Recycle Bin you will not be able to recover them. You will first need to restore them without using the AD Recycle Bin (See option 1). If you have deleted users and then enable the recycle bin the only way to restore them is from a backup.
- Enabling the AD Recycle Bin allows you to restore user accounts after it is enabled.
- Once the AD Recycle Bin is enabled, you cannot disable it.
- Deleted objects (without AD Recycle Bin) are saved for the period set in the tombestonelifetime (default 180 days).
- Deleted objects (with AD Recycle Bin) are saved for the time period set in the Deleted Object Lifetime attribute (msDS-deletedObjectLifetime), which is equal to the Recycled Object Lifetime period (default 180 days).
- Restoring a deleted users without the AD Recycle will not preserve most user settings. It will preserve the SID.
- Restoring with the AD Recycle bin will preserve user settings.
Option 1. Restore AD User without AD Recycle Bin Enabled
Note: When restoring accounts without the AD Recycle Bin all user details are lost. The good news is it will preserve the users SID.
You can check if the AD Recycle Bin is enabled with the below command.
Get-ADOptionalFeature -Filter 'Name -like "Recycle Bin Feature"'If the EnabledScopes is empty, then AD Recycle bin is not enabled.
I’m going to delete the account below. Notice the details on the account, when I restore it not all the details are lost.
Step 1. Get a list of deleted users
Use the Get-ADObject cmdlet to get a list of deleted users.
Get-ADObject -IncludeDeletedObjects -Filter 'IsDeleted -eq $true -and ObjectClass -eq "user"'
I can see the “Robert Allen” account that I want to restore. I’ll copy the ObjectGUID and use it in step 2 to restore the account.
Step 3. Restore deleted user
Use the Restore-ADObject cmdlet to restore the account. You have to specify a new name for the account.
Restore-ADObject -Identity "22c35e0e-719b-4243-a3b6-ab14e7732d13" -NewName "Robert Allen22"I’ve successfully restored the account now let’s look at it in Active Directory.
Everything is missing!!
As you can see the drawback to restoring without the AD Recycle bin is it does not preserve the user properties. It’s useful though if you need to retain the users SID.
Option 2. Restore AD User using the AD Recycle Bin
If you have deleted users and then enabled the AD Recycle Bin you will not be able to recover them. They will be destroyed. You will first need to restore them without using the AD Recycle Bin (See option 1).
Follow the steps below to restore objects with the AD Recycle bin.
- Open Active Directory Administrative Center
- Click on your domain
- Select “deleted objects”
- Select the account and click restore.
When you restore with the recycle bin it restores all users details.
Refer to the article How to enable Active Directory Recycle bin for complete steps on enabling the AD recycle bin
Option 3. Restore AD user using AD Pro Toolkit
You can easily restore deleted users with the AD Pro Toolkit.
This requires the AD Recycle Bin to be enabled.
To restore an account with the AD Pro Toolkit follow these steps.
- Click on Restore Deleted Users
- Select the account
- Click the restore button.
Full disclosure, restoring with the toolkit does the exact same thing as restoring from the Active Directory Administrative Center. The benefit of using the toolkit is you can manage AD from one central application.