How to restore deleted user accounts and their group memberships in Active Directory

base article to restore the object: 
How to restore deleted user accounts and their group memberships in
Active Directory
http://support.microsoft.com/?id=840001 
 In case you don’t have any system state backup, you can use ADRestore
to restore tombstoned objects. ADRestore is a command-line utility that lists
and lets you restore deleted Windows Server 2003 AD objects.
You can use ADRestore to restore tombstoned objects without
performing an authoritative backup restore. You can download the utility at:
 http://www.microsoft.com/technet/sysinternals/utilities/ADRestore.mspx 
 After you install ADRestore, you can restore an object by running
the command ADRestore –r. ADRestore removes the 'isDeleted' TRUE attribute
from tombstoned accounts and changes the RDN back to the previous path,
effectively resurrecting it. 
 The -r tells ADRestore to prompt the user before restoring the AD objects
to their original location. When you run the command,
you'll see messages similar to the following: 
ADRestore v1.1
by Mark Russinovich
Sysinternals - www.sysinternals.com
 Enumerating domain deleted objects:
 cn: mytest1
DEL:d7076a72-8020-44c8-b562-0c5b9132d7a5
distinguishedName: CN=mytest1ADEL:d7076a72-8020-44c8-b562-0c5b9132d7a5,
CN=Deleted Objects,DC=PYM1,DC=COM
lastKnownParent: OU=mytestADEL:657cde20-9d7e-43f2-8700-ad72029d2aec,
CN=Deleted Objects,DC=PYM1,DC=COM
Do you want to restore this object (y/n)? y
 Restore succeeded.
 distinguishedName: OU=mytestADEL:657cde20-9d7e-43f2-8700-ad72029d2aec,
CN=Deleted Objects,DC=PYM1,DC=COM
lastKnownParent: DC=PYM1,DC=COM
 Do you want to restore this object (y/n)? y
 Restore succeeded.
 Found 2 items matching search criteria.
 Notes: 
  • By default, users are disabled and user passwords are empty after the above method is performed. Note that if you try to bulk enable objects and some of them have passwords which do not meet complexity/length requirements, you will not be able to re-enable them. Selecting one of them will show a more verbose error message in 2003. Your option then is to change their password or lower your password policy requirements.
  • ADRestore cannot restore the group membership for a user. Meanwhile, not all attribute data can be restored.
  • ADRestore is the last choice and we may use this method only when valid system state backup does not exist. Furthermore, ADrestore does not aim to substitute System state backup of domain controllers. It’s highly recommended to perform regular system state backup on domain controllers.
  • Also note that you can provide simple filters based on object names. This command enumerates all objects with the string "comp" in the name (from ADRestore /?):
 ADRestore -r comp

			

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s