Share via

Active Directory Objects Restoration

  • Article

Lots of free Tools & Scripts are available in internet for restoring the AD objects but restoring the  Group-membership is required very long script or we need to use 3rd party tools. We have ADRestore.net & OIRECMgr.Exe and so many. 

Here we are not going to use any tools, neither 3rd party nor in house build tool. I will take simple attribute backup weekly once. You can plan that according to your company. That attribute backup file is .csv file.

Now if you want restore any AD object use powershell. I will show you step by step. Here FFL & DFL is Windows 2003 so Recycle Bin is not supported.

Applies to

Windows 2008R2 , Windows 2012 & Windows 2012 R2 . Tested on FFL & DFL Windows 2003. 

Attributes Backups  

All AD groups’ memberof & member backup. Schedule it weekly once. 

ipmo activedirectory 
$CurrentDate = Get-Date 
$CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss') 
Get-ADGroup -filter * -prop memberof,member | Select name,@{n="memberof";e={[string]$_.memberof}},@{n="member";e={[string]$_.member}} | Export-Csv C:\Scripts\All_Groups_attrs_$CurrentDate.csv –NoTypeInformation

All AD User’ memberof backup. Schedule it weekly once.

ipmo activedirectory 
$CurrentDate = Get-Date 
$CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss') 
Get-ADUser -filter * -prop memberof | Select name,@{n="memberof";e={[string]$_.memberof}} | Export-Csv C:\Scripts\All_Users_attrs_$CurrentDate.csv -NoTypeInformation

 All AD User’ all attrs backup. Schedule it weekly once. This script is not able to take the memberof & member attributes backup hence I have written separate script for that. You can make that in a single script.

ipmo activedirectory 
$CurrentDate = Get-Date 
$CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss') 
Get-ADUser -F * -PR * | Export-Csv C:\Scripts\All_Users_All_attrs_$CurrentDate.csv –NoTypeInformation

Restoration

 1. Run the below one liner for getting the deleted Object “DN” & “lastKnownParent” attributes

ldifde -x -d "cn=deleted objects,dc=contoso,dc=com" -f delobjs.ldf 

Open that using Notepad & Copy the “DN” & “lastKnownParent” of that deleted Object. Already I have deleted one account called “bshwjt”.

Run the below Powershell command along with the deleted object “DN” & “lastKnownParent”.  

Restore-ADObject -Identity "CN=bshwjt\0ADEL:dd1812f5-653b-43b3-89f2-aaec8373d29c,CN=Deleted Objects,DC=Contoso,DC=com" -NewName "bshjwt" -TargetPath "OU=TestOU,DC=Contoso,DC=com"

See the below link for more details - Restore-ADObject

https://technet.microsoft.com/en-us/library/ee617262.aspx

User restoration is done. Reset that user password & enable that account.

Benefits

1) There is no 3rd party tool is involved.
2) Cost is also not involved.
3) Complete free Solution. 

Please note: Tested on Windows 2003 FFL & DFL. DCs are Windows 2008 R2.  

DSAMAIN

Also if you have system state backup of your Windows 2008 R2 DC. You can mount that backup using dsamain & verify the groupmembership without downtime.

If System-state Backup is in place. You do no need any Scripts as above.

 

dsamain /dbpath <path_to_database_file> /ldapport <port_#>

 

 

See the below link for more details - DSAMAIN.EXE

https://technet.microsoft.com/en-us/library/cc753609(v=ws.10).aspx

Use below Powershell Command for getting User's info from offline NTDS.DIT

Get-ADUser -Identity bshwjt -Pr * -Server ANA-DC003:5000

https://support.microsoft.com/en-us/kb/959215?wa=wsignin1.0
_________________________________________________________________________________

Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.