How to restore deleted user accounts and their group memberships in Active Directory

In order to restore the deleted computer accounts, user accounts and the security groups, there are three methods that can be followed. These objects are collectively called as the security principals. However, when restoring these deleted objects, it is essential that you restore the previous values of the “memberOf” and member attributes into the infected security principal.

  • Method1: Restoring the accounts and adding them back to their groups.
  • Method 2: Restoring the deleted user accounts and then adding them back into their respective groups using Ntdsutil.exe command line tool.
  • Method 3: Restoring these accounts along with the deleted security groups twice, using the help of the authority.

Usually, restoring certain deleted objects can be a really tiring job, especially the security principals which are the back links of certain attributes of a few other objects. ManagedBy and memberOf are the two attributes. When you add such security principals to a particular security group, you actually make changes in the Active Directory. Restoring such data from this active directory is a bit complex. So, let’s have a look at method 1 for restoring the deleted security principals.

Restoring the accounts and adding them back to their groups

  1. Check out if any global catalog within the user’s domain has not got replicated during the deletion. Stop the catalog from being replicated. In case the latent global catalog is absent, then try locating the latest system backup for the global catalog domain controller within the eliminated user’s home domain.
  2. Auth restore the eliminated user accounts to permit the end-to-end replication of the particular user accounts.
  3. Now add all the information about the restored users to the groups in the particular domains in which the users were members before being deleted.

In order to closely follow the method 2, perform the procedure mentioned here:

  1. Check into the deleted user’s home domain for any global catalog domain controller which has not replicated any deleted part. * Focus on the catalogs that have a more frequent replication format. If there are more than one such catalog, then use the Repadmin.exe command-line tool for disabling the inbound replications using the below mentioned steps:

a)      Click on Start and then on Run

b)      In the Open box, type cmd and then click on OK.

c)      In the command prompt, type the given command and click Enter:

repadmin /options <recovery dc name> +DISABLE_INBOUND_REPL

  1. The domain controller will hence be referred onto the recovery domain controller. Here, if there doesn’t exist such kind of global catalog, them directly go to step 2. Else, follow below.
  2. Take the decision for whether the deletions, additions or any other changes to the user accounts, security groups or computer accounts should be stopped temporarily until the recovery procedures are completed.

In order to maintain the recovery path, stop making all kinds of changes to the given items, temporarily. The changes include the password resets made by domain users, administrators in the domain wherein the particular deletion had occurred, help desk administrators, group membership alterations that are made in the user’s groups. Temporarily halt the additions, modification, deletions for the given items:

User accounts and the attributes onto the user accounts

a)      Service accounts

b)      Computer accounts along with the attributes on the computer accounts.

c)      Security groups

The best method is to completely stop making any kind of changes in the security groups, especially if all the statements hold true.

  • You are currently using the method for auth restoring the deleted users and computer accounts using the domain name (dn) path.
  • Except the concealed recovery domain controller, if the deletion has caused a replication to all the other domain controllers as well.
  • You aren’t an auth restoring security group or a part of their parent containers.
  1. Make an entirely new system backup within the domain where the particular deletion had occurred. You can always use the particular backup in order to roll back the changes.

In case if you have identified a recovery domain controller in the very step 1, take a backup for the system now.

  1. Well, if you are not able to find out the concealed global catalog controller within the domain where the deletion had occurred, then find the recent system backup for the catalog controller in the particular domain. Use the domain controller as the recovery domain controller.
  2. In the Dsrepair mode, start the given recovery domain controller if you are aware of the passwords for the administrator account. Reset the password, if you are not aware of it.
  3. During the startup procedure, click on F8 to initiate the particular recovery domain controller. Login with the administrator account using your password.
  4. Auth restoring all the deleted computer accounts, user accounts, security groups. This is performed with the help of the Ntdsutil command-line tool. Refer the domain name (dn) path for the deleted users or their containers which used to host the deleted users.
  5. If all the deleted objects are recovered using the system state restore then simply disjoint all the cables providing you connectivity.
  6. In the Active Directory mode, restart your recovery domain controller.
  7. In the recovery domain controller, type the given command for disabling the internal replication.

repadmin /options <recovery dc name> +DISABLE_INBOUND_REPL

  1. Now simply outbound-relpicate the auth-restored items into the domain controllers fro the recovery domain controller.
  2. Here, determine all the security groups in which the deleted users were basically a member of. Add them back to the groups.
  3. Disable the outbound replication using the command below and then click Enter:

repadmin /options +DISABLE_OUTBOUND_REPL

  1. Verify the membership in the specific recovery domain controller domains, global catalogs of other domains, etc.
  2. Create a new backup for the system in the recovery domain controller’s domain.
  3. Finally, notify all administrators about the restoration.

One Comment

  1. David

    Please review this tool ASN Active Directory Manager. Using this tool, the deleted objects (users, groups, contacts,computers) can be restored using more advanced options. Normally the restored users will be in disabled state and user’s membership and all other properties will be empty. This tool provides the options to set more properties while restoring the users. Generally all the deleted users are restored to their last known parent container. In some cases, last known parent may also be deleted and no required to restore.Here ASN Active Directory Manager provides the option to select the container to restore the deleted objects. Please visit this page for more details

Leave a Reply

Your email address will not be published. Required fields are marked *