Active Directory: How to Restore Directory Users using PowerShell

  • Article

Why It is Important

AD admins need to be able to restore Active Directory objects such as user accounts, as well fix incorrect modifications and roll back unwanted changes to AD objects, because unwanted changes or inappropriate deletions can lead to production interruptions and system unavailability. For example, if some organizational units (OUs) or Active Directory groups or users are improperly changed or deleted, employees across the organization might not be able to log in, or might experience trouble accessing the applications they need to do their jobs. Native tools provide little help to IT pros who need to recover deleted Active Directory users; they must struggle through a difficult, time-consuming and error-prone process to restore deleted AD accounts. In order to minimize the risk of downtime and business disruption, IT admins need a tool that enables them to quickly and efficiently restore deleted objects from any point in time.

Native Auditing

1. Navigate to “Start”, choose “Administrative Tools”, right-click “Active Directory Module for Windows PowerShell”, and click “Run as Administrator”.

2. Check the domain and forest functional modes using the following commands.  Both must be Windows Server 2008R2 or higher.

(Get-ADDomain).DomainMode

(Get-ADForest).ForestMode

3. To enable the Recycle Bin feature, run the following script. Once the Recycle Bin has been enabled, any Active Directory object that is deleted will be stored in the Recycle Bin.

$cfgNameCtx = (Get-ADRootDSE).ConfigurationNamingContext
$recBin = "CN=Recycle Bin Feature,CN=Optional Features,"
$recBin = $recBin + "CN=Directory Service,CN=Windows NT,CN=Services,"
$recBin = $recBin + $cfgNameCtx
$target = (Get-ADDomain).Forest
Enable-ADOptionalFeature -Identity $recBin -Scope ForestOrConfigurationSet -Target $target -Confirm:$false

4. To restore one or more Active Directory user accounts, use this script:

$deletedUsers = Get-ADObject -Filter 'name -like "User Name" -and isDeleted -eq $true' -IncludeDeletedObjects
$deletedUsers | Restore-ADObject

5. Launch the Active Directory Users and Computers tool to see all the user accounts that were restored. 

Credits

Originally posted - https://www.netwrix.com/how_to_restore_active_directory_users.html