Undeleting Active Directory Objects

Windows 2003 Active Directory domain controllers (and newer versions) doesn't throw away deleted objects immediately. Instead, they are stored as tombstones in the hidden container Deleted Objects, which is placed in the root of each Active Directory partition (=>in each domain).

Active Directory uses this tombstones for replication purposes: If another domain controller wasn't online for a while, it is necessary to replicate the information about objects which were deleted in the meantime.

LEX can see and browse the Deleted Objects container (if you are a member of the built in 'Administrators', otherwise you do not have the permission to see this). LEX can even recover some objects from the Deleted Objects container! But you have to know that there are some restrictions to this undelete operation.

  1. Tombstones of objects which are removed from the directory don't reside in the Deleted Objects container forever! There is always a kind of lifetime - after that timespan, they are gone forever (if you do not have a REAL AD backup). Originally, that timespan was 60 days per default, in environments which were installed with Windows 2008 domain controllers, the default timespan for object undeletion is 180 days.

  2. There are some differences between the operating system version of the domain controller:

    • Windows 2003 / Windows 2008: Objects can be undeleted, but not all attributes can be restored: The references to other objects are lost. This is important because you loose all group memberships for undeleted users and groups! This kind of undeletion is called Tombstone Reanimation.
      => Go to the manual topic about Tombstone Reanimation with LEX.

    • Windows 2008 R2 (and newer): There i a new feature called AD Recycle Bin. It has to be activated (it's a global flag for the entire forest). Then deleted objects can be fully restored with all their attributes - including the group memberships and all other referential integrity.
      => Go to the manual topic about the AD Recycle Bin object recovery with LEX.