Some days ago, I reviewed NetWrix AD Object Restore Wizard, a tool that allows you to undelete Active Directory objects that have accidentally been deleted. Quest Object Restore for Active Directory has the same purpose but works quite differently, as it doesn’t rely on snapshots of the Active Directory database.
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
The tool makes use of the fact that deleted Active Directory objects are not immediately erased, but instead marked with a so-called “tombstone marker.” The lifetime of tombstone-marked objects depends on which Active Directory version is being used, with a 60 day lifetime for Windows 2000/2003 and 180 days for Windows 2003 SP1/2008. Deleted objects can’t be instantly removed from the Active Directory database, because the information that the object has been marked for future deletion has to be replicated to all domain controllers in the forest.
Quest Object Restore for Active Directory allows you to remove the “isDeleted” TRUE attribute from tombstone objects, which makes them reappear in all AD management tools. This process is called tombstone reanimation. The Sysinternals command line tool AdRestore has the same functionality. The main difference is that Quest’s tool is much more convenient to use than AdRestore because it is has a graphical user interface. All you have to do is select the domain, search for the deleted object, and restore it with a right-click.
Of course, this only works for objects that have not yet been erased from the Active Directory database, i.e. for objects that have been deleted within the last 60 or 180 days. You can, however, change the tombstone lifetime.
The only problem with undeleting tombstone-marked objects is that most of their attributes are not restored. The users first and last name, for example, will not be restored. Furthermore, user account passwords will be blank after the restoration is performed and manually-configured group memberships will be lost. It is thus necessary to first set the password and then enable the account, so the user will be able to login again. Note that this method is better than just re-creating the user-object. A restored object will keep its SID, which is essential for authentication. Only in this way will the user be able to access their own files. The same applies to computer objects.
These problems are not present when using the NetWrix tool because it can restore attributes. The advantage of Quest Object Restore is that you don’t need to install anything in advance because it uses a built-in Active Directory feature. Moreover, there is a way to store additional attributes in tombstone Active Directory objects. I will explain how to configure this in another post.
Note that Active Directory’s tombstone feature is not a replacement for backups. You should only use it if you have accidentally deleted an object which you want to restore quickly. Quest also has a professional Active Directory backup solution, the Recovery Manager for Active Directory.