Knowing that deleted Active Directory objects are not erased immediately, but only after 60 (Windows 2000/2003) or 180 days (Windows 2003 SP1/2008), can save your day if you accidentally delete user, computer or container objects. I have reviewed two free tools that allow you to restore deleted AD objects (Quest Object Restore for Active Directory and ADRestore.NET). These tools can recover objects that are marked for deletion, so-called "tombstone" objects. The technical term for this process is tombstone reanimation. Who knows?; if you accidentally delete your boss' account, then this term might take on a literal meaning. 😉
- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
A downside of tombstone reanimation is that by default, important attributes are stripped from AD objects when they are deleted. For example, user objects' last and first name attributes are not saved in tombstone objects. Perhaps even more problematic is that the password is blank after you restore a deleted user object, which means that you won’t be able to keep it a secret that you have accidentally deleted users accounts.
The good news is that you can configure the Active Directory schema to store additional attributes in tombstone objects. The bad news is that the procedure is a bit complicated. Furthermore, this method can’t be used to restore group memberships of computer and user objects. The latter shouldn’t be a big deal if you’ve deleted only a few objects; but if the number of objects that have to be restored is too big, then you better use your backup tool to recover Active Directory.
The main advantage of tombstone reanimation compared to other restore methods is that once everything is configured, restoring Active Directory objects costs only a couple of mouse clicks. You don't have to take your domain offline, which is necessary if you restore a backup.
To configure the attributes that are stored with the tombstone objects, you need a tool that allows you to edit Active Directory schema objects. I will use ADSI Edit in this description. This program is part of the Windows Server 2003 Support Tools (Adminpak), which can be found on the product CD. The latest version also can be downloaded. On a Windows Server 2008 machine, you can just add the Active Directory Lightweight Directory Services Tools feature, which belongs to the Remote Server Administration Tools. For Windows Vista, you have to download and install RSAT.
Note: Editing the Active Directory Schema is recommended only for advanced system administrators. In any case, you should make a backup of your Active Directory database before you mess with its schema.
In this example, we will configure the First name attribute to be stored in a tombstone object whenever a user object is deleted. The First name attribute corresponds to the Given-Name object, which you can find in the Schema hive in ADSI Edit. Double clicking the Given-Name object allows you to edit its properties. The searchFlags property is the one that will interest us here.
The searchFlags attribute also controls other behaviors. Its default value for the Given-Name schema object is 5, which corresponds to the binary number 00000101. You have to set bit 3 (the fourth position from the right as the first position is called bit 0) if you want the first name to be saved in the tombstone. However, the other bits should remain unchanged: 00001101. The values have to be entered as integers, so you have to change the attribute's value to 13. If you are unfamiliar with binary numbers, then you can use the Windows Calculator in scientific mode. It allows you to convert integers into binary numbers and vice versa.
Well, I told you it is a bit complicated. What makes things even more complicated is that the schema objects' names are sometimes different from the names of the attributes in the Active Directory User and Computers (ADUC) interface. Here are a few “translations” of common user object attributes:
First name = Given-Name
Last name = Surname
Initials = Initials
Display name = Display-Name
Description = Description
Office = Physical-Delivery-Office-Name
Telephone number = Telephone-Number
E-mail = E-mail-Addresses
Web-page = WWW-Home-Page
A few more translations can be found here.
If you want all these attributes stored in tombstone objects, then you have to set, for each of them, bit 3 in the searchFlags attribute of the corresponding schema object.
A schema object also controls the user password behavior, the Unicode-pwd object. Its searchFlags attribute is 0 by default. Thus to set bit 3, you have to enter the integer 8 (=1000). By the way, the schema object User-Password does not influence the tombstone object.
Please note that changes to the Schema don’t take effect immediately. You have to wait up to five minutes. However, you can "Reload the Schema" instantly with the Active Directory Schema snap-in.
Subscribe to 4sysops newsletter!
One final note: Some applications change the Active Directory schema during installation. Usually, they inform you about it. You should check the schema objects you have changed after installing such an application.