Knowing that deleted Active Directory objects are not erased immediately, but only after 60 (Windows 2000/2003) or 180 days (Windows 2003 SP1/2008), can save your day if you accidentally delete user, computer or container objects. I have reviewed two free tools that allow you to restore deleted AD objects (Quest Object Restore for Active Directory and ADRestore.NET). These tools can recover objects that are marked for deletion, so-called "tombstone" objects. The technical term for this process is tombstone reanimation. Who knows?; if you accidentally delete your boss' account, then this term might take on a literal meaning. 😉

Latest posts by Michael Pietroforte (see all)

A downside of tombstone reanimation is that by default, important attributes are stripped from AD objects when they are deleted. For example, user objects' last and first name attributes are not saved in tombstone objects. Perhaps even more problematic is that the password is blank after you restore a deleted user object, which means that you won’t be able to keep it a secret that you have accidentally deleted users accounts.

The good news is that you can configure the Active Directory schema to store additional attributes in tombstone objects. The bad news is that the procedure is a bit complicated. Furthermore, this method can’t be used to restore group memberships of computer and user objects. The latter shouldn’t be a big deal if you’ve deleted only a few objects; but if the number of objects that have to be restored is too big, then you better use your backup tool to recover Active Directory.

The main advantage of tombstone reanimation compared to other restore methods is that once everything is configured, restoring Active Directory objects costs only a couple of mouse clicks. You don't have to take your domain offline, which is necessary if you restore a backup.

To configure the attributes that are stored with the tombstone objects, you need a tool that allows you to edit Active Directory schema objects. I will use ADSI Edit in this description. This program is part of the Windows Server 2003 Support Tools (Adminpak), which can be found on the product CD. The latest version also can be downloaded. On a Windows Server 2008 machine, you can just add the Active Directory Lightweight Directory Services Tools feature, which belongs to the Remote Server Administration Tools. For Windows Vista, you have to download and install RSAT.

Note: Editing the Active Directory Schema is recommended only for advanced system administrators. In any case, you should make a backup of your Active Directory database before you mess with its schema.

ADSI-Edit-Given-NameIn this example, we will configure the First name attribute to be stored in a tombstone object whenever a user object is deleted. The First name attribute corresponds to the Given-Name object, which you can find in the Schema hive in ADSI Edit. Double clicking the Given-Name object allows you to edit its properties. The searchFlags property is the one that will interest us here.

searchFlags-given-nameThe searchFlags attribute also controls other behaviors. Its default value for the Given-Name schema object is 5, which corresponds to the binary number 00000101. You have to set bit 3 (the fourth position from the right as the first position is called bit 0) if you want the first name to be saved in the tombstone. However, the other bits should remain unchanged: 00001101. The values have to be entered as integers, so you have to change the attribute's value to 13. If you are unfamiliar with binary numbers, then you can use the Windows Calculator in scientific mode. It allows you to convert integers into binary numbers and vice versa.

Well, I told you it is a bit complicated. What makes things even more complicated is that the schema objects' names are sometimes different from the names of the attributes in the Active Directory User and Computers (ADUC) interface. Here are a few “translations” of common user object attributes:

First name = Given-Name
Last name = Surname
Initials = Initials
Display name = Display-Name
Description = Description
Office = Physical-Delivery-Office-Name
Telephone number = Telephone-Number
E-mail = E-mail-Addresses
Web-page = WWW-Home-Page

A few more translations can be found here.

If you want all these attributes stored in tombstone objects, then you have to set, for each of them, bit 3 in the searchFlags attribute of the corresponding schema object.

ADSI-Edit-password A schema object also controls the user password behavior, the Unicode-pwd object. Its searchFlags attribute is 0 by default. Thus to set bit 3, you have to enter the integer 8 (=1000). By the way, the schema object User-Password does not influence the tombstone object.

Reload-Schema Please note that changes to the Schema don’t take effect immediately. You have to wait up to five minutes. However, you can "Reload the Schema" instantly with the Active Directory Schema snap-in.

Subscribe to 4sysops newsletter!

One final note: Some applications change the Active Directory schema during installation. Usually, they inform you about it. You should check the schema objects you have changed after installing such an application.

  1. Stephen 11 years ago

    For anyone looking for a free AD object restoration solution that you can download instantly and use at no cost, I recommend NetWrix AD Object Restore Wizard. The NetWrix tool, which is available in 2 versions—freeware (which is good for time unlimited business usage) and commercial (with extra functionality), allows quick recovery of deleted and modified objects in Windows 2003 or 2008 Active Directory without rebooting a domain controller. Moreover, unlike the above-mentioned tools, it goes beyond the standard tombstone capabilities in Active Directory and stores more information than what is normally preserved in the AD tombstone. Therefore, it´s much more reliable than other tools based on standard Microsoft Tombstone Reanimation interface. Additionally, as opposed so some other tools on the market, Active Directory Object Restore Wizard is extremely easy to use, so I can definitely recommend taking a look at the NetWrix tool along side of any other AD object recovery solution.
    Download the free tool:
    Stephen Schimmel
    Product Manager
    NetWrix Corporation


  2. Alan 9 years ago

    Use ADrestore, netwrix leaves the object empty and unusable.

    You will get this windows cannot enable object because the requested object has a non unique identifier and cannot be retrieved


Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account