Powershell: restore AD object with group membership
The purpose of this article is to show how to restore deleted objects with their group membership using Powershell. In order to achieve this you will need to set up a lag site in your domain. If your domain functional level is Windows 2008R2 and you have turned on the recycle bin, you can simply restore an object with its group membership using Microsoft Powershell 2.0 Cmdlets without any lag site.
The method we will describe to achieve practically the same result works starting Windows 2003 server and later versions. We will restore objects from the Tombstone using Quest AD Cmdlets, your administration console should be at least running Windows XP, you do not need to install the RSAT (running on Windows 7 and 2008 server). You might have noticed on the “latest AD news sidebar“ that QAD Cmdlets version 1.4 was released a few days ago. The disadvantage of the method described is that it might be not supported by MS, for best practices regarding deleted objects restore you can read this KB article, you will also need to modify your Active Directory schema. Use this method if a few accounts are deleted, if have you deleted an entire OU use a proper authoritative restore. The advantage of using the powershell script is that the restore process is really quick.
Once an object is deleted, it is moved in to the Tombstone, some of the object’s attributes are erased for good. One of those attributes is the account password, when you restore a user or computer using the tombstone reanimation you cannot by default restore its password, which can be really annoying. In order to avoid this deletion you will need to modify your schema and update the SearchFlags attribute on this object: CN=Unicode-Pwd,CN=Schema,CN=Configuration,DC=domain. You can read Michael Pietroforte’s post to have more details and to know how to set up the attributes you do not want to be erased for good when an object is moved to the tombstone.
Unfortunately you cannot modify the Active Directory schema in order to store the group membership of a tombstone object, that is why you need a lag site to retrieve groups membership of an object. On this site the replication schedule is different: For example replication is only allowed once a day between 0h and 0h30, as a consequence an object deletion is not replicated immediately to the DC in this site. If the deletion occurred during the day you will be able to read the object group membership till midnight, then you can import the groups membership you just retrieved on the lag site into the reanimated object.
The Quest AD command to restore a deleted user object and then activate the user account is:
Get-QADUser -SamAccountName $AccountRestore | Restore-QADDeletedObject | Enable-QADUser ....... |
$AccountRestore is the user account SamAccountName you need to restore from the tombstone. In order to restore a computer account just use Get-QADComputer instead. For a group you do not need to activate it… just use the Get-QADGroup Cmdlet.
Once user the account is restored we need to read its groups membership on the lag site and import this information into the freshly restored account:
.... | Get-QADMemberof -service $DC_LAG_FQDN | foreach { if($_.name -ne "Domain Users"){Add-QADGroupMember -service $DC_FQDN $_ -Member $AccountRestore}} |
$DC_LAG_FQDN is the Domain Controller name located in the lag site, then you connect back to $DC_FQDN (DC were object was restored) and add group membership you just read. You import all groups except “Domain users” because the restored account is already member of this group. Use the same method for a computer object but this time just exclude “Domain computers”.
Restoring group objects is a bit more tricky: Because a group has members and can also be member of other groups. So you need to process first the members part and then the member of part, to achieve this use the following command:
.... | %{Get-QADMemberof -service $DC_LAG_FQDN $_ | foreach { Add-QADGroupMember -service $DC_FQDN -Member $AccountRestore} ; {Get-QADGroupMember -service $DC_LAG_FQDN $_ | Add-QADMemberOf -service $DC_FQDN -Group $AccountRestore} |
As you can see, restoring an object with group membership can be done in Powershell with a one liner. You can download the .ps1 script bellow, which performs the restore of the three kind of objects: users, computers and groups.
You just need to edit the following variables:
- $Domain: Your domain NetBios name.
- $DC_FQDN: Domain Controller FQDN where the object is deleted.
- $DC_LAG_FQDN: Domain Controller FQDN located in your lag site.
- $AdminAD: Your admin account.
Once you launched the script just input the kind of object you need to restore: 1 for user, 2 for computer and 3 for group. Then enter your admin account password, and finally the account name you want to restore.
This script can be improved by adding new features: For example if you have no lag site, you could query all the DCs in your domain in order to get one DC where the deletion was not replicated yet, suspend inbound replication on this DC by using repadmin.exe, read group membership of the account which was deleted on other DCs, restore the object with group membership and turn back on inbound replication once restoration is completed.
This post is also available in: French