Active Directory well acts as a hierarchical database storing information about the network’s resources such as computers, users, groups, servers and more. It facilitates you as to easily perform tasks like creating, moving, modifying and deleting multiple objects such as users, computers, groups, OUs etc. However, incidents do take place when objects of Active Directory do get deleted incidentally or intentionally, but a right usage of LDP.exe allows in easy restoration of deleted objects back to the Active Directory.
Performing the Deleted Object Restoration
Generally, an object deleted from Active Directory never gets erased immediately, but just gets marked for future deletion. Important point that you must understand is that the deleted objects are just "tombstoned" for a period of time. The time period for which the tombstoned objects remain in the AD before being deleted is 60 days for Windows Server 2000/2003, and 180 days for Windows Server 2003 SP1/ 2008 (by default).
Deleted Objects container is hidden and Active Directory user cannot view it easily, but with the right usage of LDP.exe, it is actually possible to restore deleted objects. Ldp.exe is a part of the Windows Server Support Tools set and can be used to carry out Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information.
This tool is effective in restoring deleted objects of Active Directory if you are working on Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, or higher version.
Note: However, if you are working on restoration of deleted Active Directory objects on Windows Server 2008 R2 then it is recommended to use Active Directory Recycle Bin feature.
Steps to Restore Deleted Objects with LDP.EXE
Open Ldp.exe from an elevated command prompt. First of all, you got to open a command prompt (Cmd.exe) as an administrator in elevated mode.
1) Type ldp.exe and after that press enter
2) It gets essential to create a proper connection between bind to the server that hosts the forest root domain of your AD DS environment. To do so, under Connections, click Connect option.
3) Fill up the required essential like the server name with which you want to connect and after that click on Bind and click OK.
4) On the Options menu, click Controls.
5) In the Controls dialog box, expand the Load Predefined drop-down list, after that click Return Deleted Objects, and then click OK.
6) Now from the console tree, select the CN=Deleted Objects container.
7) After identifying the deleted Active Directory object that you want to restore, right-click on it and then click on Modify.
Now, as the Modify dialog box appears on the screen, follow the instructions as mentioned below:
- In Edit Entry Attribute, type isDeleted. However, you got to ensure that you leave the Values box empty.
- Then under Operation select Delete and press Enter.
- In Edit Entry Attribute, enter the distinguishedName.
- Now in Values section, type the original distinguished name, also known as DN of this Active Directory object.
Under Operation select Replace and after that press Enter and click Run. Although, you got to ensure that you enable the Extended check box.
It is always important to make a note of the object from where it was deleted as this simple exercise can prove very beneficial in fetching the DN of the object.
It is no wonder that Microsoft's LDP.exe tool provides administrator with in-built AD object recovery method, but some experts do consider it as a bit delicate program. While you use be used only if the Deleted object is under tombstoned life., complications can arise in restoring the attributes of the objects as it does not display all the attribute data. In addition, the tool can Nevertheless, today various highly automated tools are available that can help in tracing unwanted changes or restoring deleted objects in almost every situation. In fact, LepideAuditor for Active Directory (http://www.lepide.com/lepideauditor/active-directory.html) is one among those smartly programmed applications that could very well provide you with a reliable option to retrieve AD objects from its “Restore from tombstone” feature as well as it facilitate to do in-depth auditing of changes made in Active Directory.