Windows Server
United States - English
Home
Windows Server “8” Beta
2008
2003
Library
Forums
14 out of 18 rated this helpful - Rate this topic

Step 2: Restore a Deleted Active Directory Object

Updated: October 27, 2010

Applies To: Windows Server 2008 R2

This step provides instructions for completing the following tasks with Active Directory Recycle Bin:

Displaying the Deleted Objects container

When Active Directory objects are deleted, they are placed in the Deleted Objects container. By default, the CN=Deleted Objects container is not displayed. You can use the Ldp.exe administration tool in Active Directory Domain Services (AD DS) to display the Deleted Objects container.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To display the Deleted Objects container

  1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.

  2. On the Options menu, click Controls.

  3. In the Controls dialog box, expand the Load Predefined pull-down menu, click Return deleted objects, and then click OK.

  4. To verify that the Deleted Objects container is displayed:

    1. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then Bind.

    2. Click View, click Tree, and in BaseDN, type DC=<mydomain>,DC=<com>, where <mydomain> and <com> represent the appropriate forest root domain name of your AD DS environment.

    3. In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=<mydomain>,DC=<com> container, where <mydomain> and <com> represent the appropriate forest root domain name of your AD DS environment.

Restoring a deleted Active Directory object using Ldp.exe

You can use Ldp.exe to restore a single, deleted Active Directory object.

ImportantImportant
You have to run Ldp.exe from an elevated command prompt to restore a deleted object.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To restore a deleted Active Directory object using Ldp.exe

  1. Open Ldp.exe from an elevated command prompt. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.

  2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.

  3. In the console tree, navigate to the CN=Deleted Objects container.

  4. Locate and right-click the deleted Active Directory object that you want to restore, and then click Modify.

  5. In the Modify dialog box:

    1. In Edit Entry Attribute, type isDeleted.

    2. Leave the Values box empty.

    3. Under Operation, click Delete, and then click Enter.

    4. In Edit Entry Attribute, type distinguishedName.

    5. In Values, type the original distinguished name (also known as DN) of this Active Directory object.

    6. Under Operation, click Replace.

    7. Make sure that the Extended check box is selected, click Enter, and then click Run.

noteNote
When you delete or recover an Active Directory object with link-valued attributes, AD DS must process the object’s link value table to maintain referential integrity on the linked attribute’s values. Because deleting or recovering an Active Directory object results in modifications to the object’s link value table, if you attempt to delete or recover an object during its ongoing link-value-table processing time, the operation will be blocked. For example, if you use the Active Directory Recycle Bin to recover a deleted object with a large number of link-valued attributes (for example, a group object with 10 million users) immediately after it was deleted (or anytime throughout the duration of its link-value-table processing), the object recovery will be blocked. (If you are using Ldp.exe to perform the recovery, you might see the following error message: "Error 0x2093 The operation cannot continue because the object is in the process of being removed.")

Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets

You can also restore a deleted Active Directory object by using the Get-ADObject and Restore-ADObject Active Directory module for Windows PowerShell cmdlets. The recommended approach is to use the Get-ADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the Restore-ADObject cmdlet.

To restore a single, deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

  2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:

    Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject

    For example, if you want to restore an accidentally deleted user object with the display name Mary, type the following command, and then press ENTER:

    Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject

For more information about the Get-ADObject and Restore-ADObject cmdlets, at the Active Directory module for Windows PowerShell command prompt, type Get-Help Get-ADObject or Get-Help Restore-ADObject, and then press ENTER.

Restoring multiple, deleted Active Directory objects

Consider the following scenario: An administrator at Contoso.com accidentally deletes a nested organizational unit (OU) called Finance_Department, which contains user accounts for employees in the Finance department. The administrator deletes another OU called Admins, which contains user accounts for administrative assistants that work for the Finance department. Brian and Mary are user accounts in the Finance_Department OU. Tom is a user account in the Admins OU. The following illustration shows the Finance_Department OU.

9300aece-b4ef-4773-b15b-13fe72a26f5b

When the Finance_Department OU is deleted, all its objects (a total of five objects) are moved to the Deleted Objects container, with their distinguished names mangled. The Deleted Objects container displays all logically deleted objects in a flat hierarchy as its direct children. The recommended approach to restoring a nested OU to its original state is to use the Get-ADObject Active Directory module cmdlet to retrieve the deleted objects one hierarchy level at a time and then to pass those objects through the pipeline to the Restore-ADObject cmdlet. If the administrator is not familiar with the original hierarchy of the Finance_Department OU, the administrator must first use the Get-ADOBject cmdlet to perform several investigation steps:

  • For example, the administrator decides to search for the user account Mary with the Get-ADOBject cmdlet, using the msDS-lastKnownRDN attribute in the ldapFilter parameter and constructing the command so that the lastKnownParent attribute of Mary is returned, as follows:

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapFilter:"(msDs-lastKnownRDN=Mary)" –IncludeDeletedObjects –Properties lastKnownParent

    In the output that the Get-ADObject cmdlet returns, the administrator notices that the value for lastKnownParent of Mary is Finance_Department. The administrator also notices that the distinguished name of the Finance_Department OU is mangled, which indicates that the Finance_Department OU object itself is deleted. (An example of a mangled distinguished name is OU=Finance_Department\0ADEL:e954edda-db8c-41be-bbbd-599bef5a5f2a,CN=Deleted Objects,DC=contoso,DC=com.)

  • The administrator then decides to search for all the objects in the Deleted Objects container whose lastKnownParent value is Finance_Department, using the following command:

    Get-ADObject –SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq 'OU=Finance_Department\\0ADEL:e954edda-db8c-41be-bbbd-599bef5a5f2a,CN=Deleted Objects,DC=contoso,DC=com'} -IncludeDeletedObjects -Properties lastKnownParent | ft

    noteNote
    Make sure that you escape the slash (\) in the mangled distinguished name that is used in the Get-ADObject cmdlet with another slash.

    In the output that the Get-ADObject cmdlet returns, the administrator notices that Admins is an OU itself.

  • The administer further searches for all the deleted objects with a lastKnownParent attribute equal to Admins, using the following command:

    Get-ADObject –SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq 'OU=Admins\\0ADEL:6b405c87-027c-4135-95af-36c31002be5a,CN=Deleted Objects,DC=contoso,DC=com'} -IncludeDeletedObjects -Properties lastKnownParent | ft

    noteNote
    Make sure that you escape the slash (\) in the mangled distinguished name that is used in the Get-ADObject cmdlet with another slash.

    In the output that the Get-ADObject cmdlet returns, the administrator finds the user account Tom.

  • In Windows Server 2008 R2, deleted nested objects must be restored from the highest level of their hierarchy to a live parent. Therefore, the Finance_Department OU object must be restored first. Because all previous investigation steps were performed using the lastKnownParent attribute, which points to the direct parent of the object and does not indicate whether the next parent object is also deleted, as a check the administrator can verify that the value of lastKnownParent for Finance_Department is indeed a live OU by running the following command:

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -ldapFilter:"(msDs-lastKnownRDN=Finance_Department)" –IncludeDeletedObjects –Properties lastKnownParent

    This concludes the investigation and the administrator is ready to restore the Finance_Department OU to its original hierarchy and state.

ImportantImportant
It is critical to begin restoring objects from the highest level of the hierarchy because deleted objects must be restored to a live parent.

To restore the Finance_Department OU, the administrator can perform the following procedure.

To restore the Finance_Department OU

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

  2. Restore the Finance_Department OU by running the following command at the Active Directory Module for Windows PowerShell prompt:

    Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=Finance_Department)" –IncludeDeletedObjects | Restore-ADObject

  3. Restore the user accounts Brian and Mary and the Admins OU (the direct children of the Finance_Department OU whose distinguished name was restored to OU=Finance_Department,DC=contoso,DC=com in the previous step) by running the following command at the Active Directory Module for Windows PowerShell prompt:

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=Finance_Department,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject

  4. Restore the user account Tom (the direct child of the Admins OU whose distinguished name was restored to OU=Admins,OU=Finance_Department,DC=contoso,DC=com in the previous step) by running the following command at the Active Directory Module for Windows PowerShell prompt:

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=Admins,OU=Finance_Department,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject

For more information about the Get-ADObject and Restore-ADObject cmdlets, at the Active Directory Module for Windows PowerShell command prompt, type Get-Help Get-ADObject or Get-Help Restore-ADObject.

For a sample Windows PowerShell script that you can use to restore a deleted tree of Active Directory objects, see Appendix B: Restore Multiple, Deleted Active Directory Objects (Sample Script).

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
"illegal modify operation" - Fixed

I suspect this may be too late a response to be helpful to the existing contributors, but may help future searchers.
I fixed the "illegal modify operation" error generated by

Get-ADObject -Filter 'samaccountname -eq "kimabercrombie"' -IncludeDeletedObjects | Restore-ADObject

by adding this switch to the end of the command

-NewName "KimAbercrombie"
History
A solution to Error 0x2077
Regarding the error:
"Error 0x2077 Illegal modify operation. Some aspect of the modification is not permitted."

-Insure that you are connecting to your DC by using LDAPS (SSL, port 636)
-When performing the rename operation using LDP.exe, insure that you are changing the distinguishedName to an object that doesn't exist. In my case, I received this error when I forgot to include the computer's name in the DN (meaning, I only had OU=x,DC=y,DC=z instead of CN=Server,OU=x,DC=y,DC=z)
-If using powershell and you receive this error: use LDP.exe and insure you are using LDAPS and a DN that doesnt exist
History
Show only deleted Objects

Instead of searching the deleted object by Name, you can display all deleted objects:

get-adobject -Filter {Deleted -eq $true} -IncludeDeletedObjects

Or to display only deleted users:

get-adobject -Filter{Deleted -eq $true -and ObjectClass -eq "user"} -IncludeDeletedObjects

History
RE: Error 0x2077

Ensure you are using the full Original DN when entering the Modify command. For example if you are restoring a group object named "Finance" that was originally in the OU named "Company" under the Domain "contoso.com" you would enter "CN=Finance,OU=Company,DC=Contoso,DC=com" in the Values: box when the Edit Entry Attribute box contains "DistinguishedName" and the operation is Replace.

History
Error "Illegal modify operation. Some aspect of the modification is not permitted"

When trying to restore a domain user account on Windows Server 2008 R2 Enterprise (Release Candidate, Build 7100) Domain Controller either using PowerShell or Ldp.exe error occurred: "Illegal modify operation. Some aspect of the modification is not permitted".

History
Same problem here... Error 0x2077 Illegal modify Operation.

Windows Server 2008 R2 Standard Edition Final release. When trying to recover an user occount following the procedure with ldp. I'll try the powershell procedure, but i think that i will have the same result:

***Call Modify...
ldap_modyfy_ext_s(ld,'CN=user\0ADEL:1663aeb8-6553-44...........',[2] attrs,SvrCtrls, ClntCtrls);
Error: Modify: Unwilling To Perform. &lt;53&gt;
Server error: 00002077: SvcErr:DSID-031B0D85, problem 5003 (WILL_NOT_PERFORM), data 0

Error 0x2077 Illegal modify operation. Some aspect of the modification is not permitted.

History
Multiple copies of the same account in the Recycle Bin?
Here is an interesting article that explains how you might end up with a bunch of deleted user accounts inside the Recycle Bin that you might think should not be in there or look to be clones or copies of each other:

http://blogs.technet.com/b/instan/archive/2010/05/10/ad-recycle-bin-and-the-conspicuously-cloned-user-accounts-conundrum.aspx
History
Same error! When this will be fixed?
Windows 2008 R2 + Windows 2003 DCs.

PS Z:\> Get-ADObject -Filter {sAMAccountName -eq "SERVER2$"} -IncludeDeletedObjects | Restore-ADObject

Restore-ADObject : Illegal modify operation. Some aspect of the modification is not permitted
At line:1 char:94
+ Get-ADObject -Filter {sAMAccountName -eq "SERVER$"} -IncludeDeletedObjects | Restore-ADObject <<<<
+ CategoryInfo : InvalidOperation: (CN=SERVER\0ADEL...,DC=test,DC=com:ADObject) [Restore-ADObject], ADIll
egalModifyOperationException
+ FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject

When MS thinks to fix this error? I tried PS and LDP and same error.
History
Error: Modify: Already Exists. <68>

When attempting to recover an item using LDP.exe I receive the following message;


***Call Modify...
ldap_modify_ext_s(ld, 'CN=Deletion Test\0ADEL:72bfa651-1924-48c6-a4cb-faa780d88ce2,CN=Deleted Objects,DC=redacted,DC=domain',[2] attrs, SvrCtrls, ClntCtrls);
Error: Modify: Already Exists. <68>
Server error: 00002071: UpdErr: DSID-031B0B8E, problem 6005 (ENTRY_EXISTS), data 0
Error 0x2071 An attempt was made to add an object to the directory with a name that is already in use.


The object is not recovered.

History
Not working
As I read this, the command in step #3 is supposed to restore all users from a deleted OU after you first restored the OU.

To restore the Finance_Department OU

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

  2. Restore the Finance_Department OU by running the following command at the Active Directory Module for Windows PowerShell prompt:

    Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=Finance_Department)" –IncludeDeletedObjects | Restore-ADObject

  3. Restore the user accounts Brian and Mary and the Admins OU (the direct children of the Finance_Department OU whose distinguished name was restored to OU=Finance_Department,DC=contoso,DC=com in the previous step) by running the following command at the Active Directory Module for Windows PowerShell prompt:

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastKnownParent -eq "OU=Finance_Department,DC=contoso,DC=com"} -IncludeDeletedObjects | Restore-ADObject


In my test environment, I delete an OU named Eng and it has (2) users in it. I restore the Eng OU first, then attempt step #3 to restore the 2 users but it does not work. I do not receive an error message and it appears the command runs.

History
Same Behavior
I am also receiving the same behavior. I am actually going through my upgrade exam book right now and have try the steps given in the book multiple times. Each time I receive the error:

Error 0x2077 Illegal modify operation. Some aspect of the modification is not permitted.

Any solutions? Is it a bug in R2?
History