AD cmdlets for object undelete

Another great new feature in Quest’s free AD cmdlets 1.2 is ability to locate deleted (tombstoned) Active Directory objects and restore them back.

Locating is very straight-forward: you just add the -Tombstone switch to the Get-* cmdlet of your choice and now your query searches deleted rather than live objects.

Restoring is even easier – all you need is pipeline the deleted objects into Restore-QADDeletedObject.

And the best thing of all is that this works great with Windows 2003 Active Directory – so you can start taking advantage of the feature right away!

For example:

# List all tombstoned user accounts
Get-QADUser -Tombstone

# Restore accounts deleted from a specific OU
Get-QADUser -Tombstone -LastKnownParent 'OU=People,DC=company,dc=local' | Restore-QADDeletedObject

# Restore accounts deleted today
Get-QADUser -Tombstone –LastChangedOn (get-date) | Restore-QADDeletedObject

# Restore a specific deleted user
Get-QADUser -Tombstone –Name 'John Smith*' | Restore-QADDeletedObject

One gotcha to keep in mind is that when objects are tombstoned computer and user objects are stored in AD exactly the same way. This makes Get-QADUser actually return both user and computer objects. Shay found this workaround to make sure that only user objects are returned:

# Return all tombstoned user accounts but no computer objects
Get-QADUser -Tombstone -SizeLimit 0 -ldap '(&(!samAccountName=*$))'

Other Get-* cmdlets which now have these -Tombstone and -LastKnownParent parameters are:

For more information on what a tombstoned object is and how tombstone-based undelete is different from full recovery see Gil’s article here.


10 Responses to “AD cmdlets for object undelete”

  1. 1 tojo2000 May 8, 2009 at 1:46 am

    Did you ever know that you’re my hero?

  2. 2 Mike Kline May 8, 2009 at 4:32 am

    Wow very nice features here Dmitry.

    I dont’ think powershell would be embraced at all in the AD community without these cmdlets


  3. 3 Alan McBurney June 18, 2009 at 7:35 am

    One thing to be aware of is that the cmdlet doesn’t restore group membership properties for the object but simply makes it a member of domain users.

    Just a heads up on this as it may cause some issues if people aren’t aware.


  4. 4 Dmitry Sotnikov June 18, 2009 at 7:44 am

    Good point Alan. Please see this TechNet article for full list of limitations:

  5. 5 Dmitry Sotnikov June 22, 2009 at 5:42 pm


    See this post for information on cmdlets which do full undelete (with group membership, etc.) as well as any attribute change rollback:


  6. 6 Robert July 14, 2009 at 2:24 pm

    again, did you ever know you are my hero too! holy crap! this is a life savor.
    after reading the LDP.exe document. my gosh this is a life savor!

    who knew??? hhahaah yeah!!!!!!!!!!! the way it should be! not a 20 pages doc on how to recover 1 deleted user sheeeeshh!

  7. 7 Dmitry Sotnikov July 14, 2009 at 2:39 pm

    Robert, glad you like it! 🙂

  1. 1 AD Recovery from PowerShell « Dmitry’s PowerBlog: PowerShell and beyond Trackback on June 22, 2009 at 10:04 am
  2. 2 LDP.exe - IT Certification Forums Trackback on August 22, 2009 at 1:07 am
  3. 3 More on AD Recycle Bin « Dmitry’s PowerBlog: PowerShell and beyond Trackback on September 24, 2009 at 10:34 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

May 2009

%d bloggers like this: