Another great new feature in Quest’s free AD cmdlets 1.2 is ability to locate deleted (tombstoned) Active Directory objects and restore them back.
Locating is very straight-forward: you just add the -Tombstone switch to the Get-* cmdlet of your choice and now your query searches deleted rather than live objects.
Restoring is even easier – all you need is pipeline the deleted objects into Restore-QADDeletedObject
.
And the best thing of all is that this works great with Windows 2003 Active Directory – so you can start taking advantage of the feature right away!
For example:
# List all tombstoned user accounts
Get-QADUser -Tombstone
# Restore accounts deleted from a specific OU
Get-QADUser -Tombstone -LastKnownParent 'OU=People,DC=company,dc=local' | Restore-QADDeletedObject
# Restore accounts deleted today
Get-QADUser -Tombstone –LastChangedOn (get-date) | Restore-QADDeletedObject
# Restore a specific deleted user
Get-QADUser -Tombstone –Name 'John Smith*' | Restore-QADDeletedObject
One gotcha to keep in mind is that when objects are tombstoned computer and user objects are stored in AD exactly the same way. This makes Get-QADUser actually return both user and computer objects. Shay found this workaround to make sure that only user objects are returned:
# Return all tombstoned user accounts but no computer objects
Get-QADUser -Tombstone -SizeLimit 0 -ldap '(&(!samAccountName=*$))'
Other Get-* cmdlets which now have these -Tombstone and -LastKnownParent parameters are:
For more information on what a tombstoned object is and how tombstone-based undelete is different from full recovery see Gil’s article here.
Did you ever know that you’re my hero?
Wow very nice features here Dmitry.
I dont’ think powershell would be embraced at all in the AD community without these cmdlets
Thanks
Mike
One thing to be aware of is that the cmdlet doesn’t restore group membership properties for the object but simply makes it a member of domain users.
Just a heads up on this as it may cause some issues if people aren’t aware.
Alan
Good point Alan. Please see this TechNet article for full list of limitations: http://technet.microsoft.com/en-us/magazine/cc137800.aspx
Alan,
See this post for information on cmdlets which do full undelete (with group membership, etc.) as well as any attribute change rollback: https://dmitrysotnikov.wordpress.com/2009/06/22/ad-recovery-from-powershell/
Dmitry
again, did you ever know you are my hero too! holy crap! this is a life savor.
after reading the LDP.exe document. my gosh this is a life savor!
who knew??? hhahaah yeah!!!!!!!!!!! the way it should be! not a 20 pages doc on how to recover 1 deleted user sheeeeshh!
Robert, glad you like it! 🙂