Sysinternals' AdRestore lets you restore deleted Active Directory (AD) objects. This free tool has a GUI, which makes it easy to use. However, if you use AdRestore to restore a user account, it restores the account with a disabled status, which means all the account properties (e.g., city, department, phone) are blank after the restore. That's why you need to assign a password before enabling the account.
Windows Server 2008 R2 also has a powerful feature—Active Directory Recycle Bin—that can restore deleted AD objects. Unlike AdRestore, Active Directory Recycle Bin restores user accounts with their properties intact. However, Active Directory Recycle Bin doesn't have a GUI, so you need to use PowerShell 2.0 to run it. I prefer using a GUI to restore deleted AD objects because I find that it's quicker, especially when there are multiple AD objects to restore. So, I devised a solution that lets me use a GUI to recover deleted accounts with their properties intact. It uses both Active Directory Recycle Bin and AdRestore.
Here’s how my solution works. You first enable Active Directory Recycle Bin, which is disabled by default. Before doing so, though, you need to be aware of two important items. First, the forest functional level of your AD environment must be raised to Windows Server 2008 R2 before enabling this feature. Second, once you enable Active Directory Recycle Bin, you can't disable it.
To enable Active Directory Recycle Bin, you need to use PowerShell 2.0's Enable-ADOptionalFeature cmdlet. For example, if your domain name is contoso.com, you'd run the command
Enable-ADOptionalFeature
-Identity 'CN=Recycle Bin Feature,
CN=Optional Features,
CN=Directory Service,
CN=Windows NT,CN=Services,
CN=Configuration,
DC=contoso,DC=com'
-Scope ForestOrConfigurationSet
-Target 'contoso.com'
Although this command wraps here, you'd enter it all on one line in the PowerShell console. Note that you must run this command as an administrator. (For more information about using this command, see the Active Directory Recycle Bin Step-by-Step Guide.)
Once Active Directory Recycle Bin is enabled, the system treats deleted AD objects differently. When you delete an object, it's logically deleted for a certain length of time. During this time, all the AD object's properties are preserved, which means you can recover it with its properties intact. The Microsoft article "What's New in AD DS: Active Directory Recycle Bin" provides an excellent discussion of logically deleted objects.
Although "What's New in AD DS: Active Directory Recycle Bin" doesn't mention it, you can use AdRestore to recover logically deleted objects. AdRestore will restore these objects with their properties intact, and you can use the GUI to make the recovery easier.
