OUs in Active Directory (AD) helps administrators to categorize users depending on the different departments in your organization. When an OU is deleted, the OU, along with all objects contained in it has to be restored. Vital information such as GPOs that are applied to the OUs and any security groups to which the members of the OU were previously a part of must also be restored.
This article will elaborate on the different ways in which you can restore deleted nested OUs.
Active Directory provides a Recycle Bin feature which is disabled by default and has to be enabled manually. If Recycle Bin is enabled in your environment, it provides you additional leeway in restoring OUs with all the necessary information.
If Recycle Bin is not enabled, the deleted OU is moved to the Deleted Objects container and stripped of most of its attributes. The OU stays in this tombstoned state for 60-180 days depending on the version of your Windows Server and your configuration settings. However, the OU can still be restored using native tools like PowerShell or LDP utility but its missing attributes will have to be manually added back.
When Recycle Bin is enabled, the OU is still moved to the Deleted Objects container but all its attributes are preserved for a duration as specified by your msDS-deletedObjectLifetime attribute. In this stage, the OU can be restored with all its attributes intact.
When the msDS-deletedObjectLifetime period expires, the object is moved to a Recycled Object state where almost all of its attributes are removed. The objects stays in this state as specified by your tombstoneLifetime attribute. Once the tombstoneLifetime period expires, the object is removed from the database by the garbage-collection process and cannot be restored.
To preserve all attributes of deleted objects, enabling AD Recycle Bin is a must.
Before you enable AD Recycle Bin, ensure that the domain and forest functional levels are at least Windows Server 2008 R2.
Note: Once AD Recycle Bin has been enabled, it cannot be disabled.
To enable AD Recycle Bin, execute the following command in PowerShell.
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=www,DC=zylker'DC=com' –Scope ForestOrConfigurationSet –Target 'www.zylker.com'
If you use Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012, you can use the Active Directory Administrative Center to enable the Recycle Bin.
As an administrator, these are the native tools that can be used to restore OUs with all attributes intact, provided AD Recycle Bin has been enabled.
Consider the following scenario: An administrator of example.com accidentally deletes a nested organizational unit (OU) called HR_Department, which contains user accounts of employees in the HR department. The deletion of the OU results in deletion of a nested OU called Managers, which contains user accounts of the managers who work in the HR department. Jack, Vincent, and Emma are user accounts in the HR_Department OU. Harry is a user account in the Managers OU. The following illustration shows the hierarchy of the HR_Department OU.
The article will explain how these objects can be restored using the native AD tools.
Note: When restoring objects using native tools, it's critical to begin restoring objects from the highest level of the hierarchy because deleted objects can only be restored to a live parent.
To restore a deleted object, open PowerShell and type in the following command:
Restore-ADObject -Identity $dn
Here, $dn is the distinguished name of the object to be restored. To find the distinguished name of the object, use the following script in PowerShell:
(Get-ADObject -SearchBase (get-addomain).deletedobjectscontainer -IncludeDeletedObjects -filter "samaccountname -eq '%OLD_NAME%' ")
To find the distinguished name of the object and to perform the restoration, use the following script in PowerShell:
(Get-ADObject -SearchBase (get-addomain).deletedobjectscontainer -IncludeDeletedObjects -filter "samaccountname -eq '%OLD_NAME%' ") | Restore-ADObject
Here, %OLD_NAME% is the name of the object before being deleted.
Unlike restoring a single object, restoring an OU and its constituent objects is not a single step process.
Considering the scenario mentioned above, when the HR_Department OU is deleted, all the objects that it contains―a total of six objects including the two OUs and the four users―are moved to the Deleted Objects container with their distinguished names mangled. The Deleted Objects container displays all deleted objects in a flat hierarchy as its direct children, and the original hierarchy is lost. If the administrator has to restore the HR_Department OU, they have to somehow identify that OU's original hierarchy.
To restore the OU HR_department, you'll first need to find the original hierarchy of the OU.
If you know the original hierarchy of the deleted OU, you can use the Restore-ADObject cmdlet to retrieve the deleted objects one hierarchy level at a time.
If you’re not familiar with the original hierarchy, you must first identify the hierarchy before starting the restoration process.
For example, if you want to find the hierarchy of the user account Emma, the PowerShell cmdlet must be constructed so that the lastKnownParent attribute of Emma is returned.
Get-ADObject -SearchBase "CN=Deleted Objects,DC=validate4,DC=com" -ldapFilter:"(msDs-lastKnownRDN=Emma)" –IncludeDeletedObjects –Properties lastKnownParent
In the output this cmdlet returns, the value of lastKnownParent for Emma is HR_Department. You can also notice that the distinguished name of the HR_Department OU is mangled, which indicates that the HR_Department OU object itself was deleted.
Here's an example of a mangled distinguished name:
OU=HR_Department\0ADEL:d662511-4bde-b24e-f665bfa96e7b,CN=Deleted Objects,DC=validate4,DC=com
You then have to search for all objects in the Deleted Objects container whose lastKnownParent value is HR_Department.
Get-ADObject –SearchBase "CN=Deleted Objects,DC=validate4,DC=com" -Filter {lastKnownParent -eq 'OU=HR_Department\\0ADEL:d662511-4bde-b24e-f665bfa96e7b,CN=Deleted Objects,DC=example,DC=com'} -IncludeDeletedObjects -Properties lastKnownParent | ft
In the output that this cmdlet returns, you can notice that Managers is an OU. You now have to search for all the deleted objects that were contained in the Managers OU. The objects in the Managers OU will contain a lastKnownParent attribute equal to Managers.
Get-ADObject –SearchBase "CN=Deleted Objects,DC=validate4,DC=com" -Filter {lastKnownParent -eq 'OU=Managers\\0ADEL:83fb259c-b3f6-452f-a423-37f7fb11e0d0,CN=Deleted Objects,DC= validate4,DC=com'} -IncludeDeletedObjects -Properties lastKnownParent | ft
In the output that this cmdlet displays, You will see just the user account Harry and no other objects within the OU. You now have the list of all objects that were deleted and can start with the restoration. Since the HR_Department OU is the object at the top of the hierarchy, it must be restored first. Because all previous investigation steps were performed using the lastKnownParent attribute—which points to the direct parent of the object and does not indicate whether the next parent object is also deleted—administrators can verify that the value of lastKnownParent for HR_Department is indeed a live OU by running the following command:
Get-ADObject -SearchBase "CN=Deleted Objects,DC= validate4,DC=com"
-ldapFilter:"(msDs-lastKnownRDN=HR_Department)" –IncludeDeletedObjects –Properties lastKnownParent
This concludes the investigation, and you’re now ready to restore the HR_Department OU to its original hierarchy and state.
To restore the HR_Department OU using PowerShell, perform the following operations in the domain controller.
Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=HR_Department)" –IncludeDeletedObjects | Restore-ADObject
Get-ADObject -SearchBase "CN=Deleted Objects,DC= validate4,DC=com" -Filter {lastKnownParent -eq 'OU=HR_Department,DC= validate4,DC=com'} -IncludeDeletedObjects | Restore-ADObject
Get-ADObject -SearchBase "CN=Deleted Objects,DC=validate4,DC=com" -Filter {lastKnownParent -eq 'OU=Admins,OU=HR_Department,DC=validate4,DC=com'} -IncludeDeletedObjects | Restore-ADObject
Note: When you restore the objects present inside the OU, make sure that the distinguished name you provide contains the name of its parent OU. For example, if you’re restoring the user Emma Roberts, the DN should be CN=Emma Roberts,CN=HR,DC=Terminator,DC=com. If the parent OU is not mentioned, the user object will be restored to the root domain and you’ll have to manually move it to the HR OU.
To restore the deleted OUs using the Administrative Center,
The restoration has to be performed hierarchically and each user object will be restored to the OU in which it was present before deletion. All attributes along with their group membership information will be restored.
We can see from the above examples that while PowerShell, LDP utility, and Active Directory Administrative Center can be used to restore deleted OUs, the process of restoring them is not always straightforward.
All three native tools have a couple of common shortcomings
1. Lack of hierarchical restoration.
2. Native AD Recycle Bin has to be enabled and a setting a large value for Tombstone Lifetime attribute can increase the size of Directory Information Tree (DIT).
Additionally, recovering nested OUs using PowerShell and LDP utility involves a lot of steps which increases the complexity if the number of objects contained in the OU is large.
RecoveryManager Plus allows you to overcome all the shortcomings of the native tools while adding more value in terms of its other capabilities.
Considering the same use case as the one above, the following section will explain how RecoveryManager Plus can be used to restore all the deleted objects.
Unlike the native tools that require you to restore objects from the highest level of hierarchy, RecoveryManager Plus allows you to restore any object irrespective of its original hierarchy. When an object and its parent container are deleted, restoring the deleted object automatically restores the parent container too, eliminating the need to restore containers individually.
RecoveryManager Plus allows you to restore objects with all their attributes intact even if the native Recycle Bin is not enabled. This is possible because RecoveryManager Plus comes bundled with its own Recycle Bin feature. All AD objects that have been deleted can be found here and you can even preview the attributes that will be restored along with the object., You can also use the available filters to limit the search results to required object type (user, OU, group, etc) or search for the deleted object by name.
When the entire HR_Department OU is deleted, you can find the deleted OU and all its constituent objects in RecoveryManager Plus's Recycle Bin.
If the administrator knows the original hierarchy of the deleted OU, the admin can select just the parent container and recycle it, which will automatically restore all the constituent objects of the OU.
Besides restoring deleted objects, RecoveryManager Plus is a multifaceted tool with several capabilities that make it a must-have for administrators who want total control over the contents of their AD.
| Features | PowerShell | LDP utility | Active Directory Administrative Center | RecoveryManager Plus |
|---|---|---|---|---|
| Restore live AD objects to any of their past versions | ||||
| AD rollback | ||||
| Granular GPO restoration |
Learn more about the various features that RecoveryManager Plus has to offer.
Evaluate RecoveryManager Plus to try out features like backing up and recovering AD objects. Support is included in your trial if you need any assistance. Download your fully functional 30-day free trial today.
