Recover Deleted Active Directory Account

Have you ever deleted an Active Directory user in error? This recently happened to us. We were cleaning up our Microsoft Exchange environment as a preparation to migrating to Microsoft Online Services, part of the NjevityToGo offering. Somehow we managed to delete the account of our company’s president. Not good. An Active Directory user account can control all aspects of a user’s computing life. The security for email, user folders and profile are all controlled from the Active Directory account. Almost immediately Chris could no longer connect to email.

We could create a new account, give that account access to the old account’s data and migrate everything over but I’ve done something like that before. Years ago we migrated a client network from a workgroup environment to Active Directory. It was time consuming and laborious. Neither my boss nor I was looking forward to that process.

Microsoft has a recovery process if you have a backup of the System State of a Domain Controller. It is also a slow methodical process. If you feel like using their supported method you can find it at http://support.microsoft.com/kb/840001.

BUT, WAIT! When you delete something in Active Directory it doesn’t get deleted immediately. It gets “tomb stoned.” The object gets its IsDeleted property set to True. The object doesn’t actually get deleted for at least 60 days. GREAT, but how do you get to it. Easy, thanks to Guy Teverovsky, an MVP from Israel. Some time ago he wrote a command line tool for recovering deleted objects. He followed that up with a GUI version. You can download it for FREE from http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx. Once installed you can “enumerate” the tombstones, preview the attributes and restore. Once the object is restored you may still need to move it to the correct Organizational Unit and add it back to the correct Security Groups but that is much easier than migrating data from a deleted account.