JSI Tip 8000. How do I restore deleted user accounts and their group memberships in Active Directory?

Microsoft Knowledge Base Article 840001 contains the following summary:

You can use two methods to restore deleted user accounts, computer accounts, and security groups. These objects are known collectively as security principals. In both methods, you authoritatively restore the deleted objects, and then you restore group membership information for the deleted security principals. When you restore a deleted object, you must restore the former values of the member and memberOf attributes in the affected security principal. The two methods are:

Method 1: Restore the deleted user accounts, and then add the restored users back to their groups
Method 2: Authoritatively restore the deleted user accounts and the deleted users' security groups two times
Method 1 provides a better experience for domain users and administrators because it preserves the additions to security groups that were made between the time of the last system state backup and the time the deletion occurred. In method 2, instead of making individual adjustments to security principals, you roll back security group memberships to their state at the time of the last backup.

If you do not have a valid backup of the system state, and the domain where the deletion occurred contains Windows Server 2003-based domain controllers, you can manually or programmatically recover the deleted objects. You can also use the Repadmin utility to determine when and where a user was deleted.

Most large-scale deletions are accidental. Microsoft recommends that you take several steps to prevent others from deleting objects in bulk.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish