Restoring a single Active Directory Object without using Backup Software

Starting with Windows 2008 R2, Microsoft introduced the Active Directory recycling bin. This is great for recovering objects back into AD if they are accidentally deleted. In order to use the recycle bin feature your forest must be running with a functional level of Windows 2008 R2. If your forest is running at this level you simple run a PowerShell command to enable it.

To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet

Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

Below is a sample for enabling it for domain.com: 
Enable-ADOptionalFeature –Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com" –Scope ForestOrConfigurationSet –Target domain.com

Once you have the Recycling Bin for Active Directory you will have to use LDP.exe to restore. By default the container with the deleted objects is not displayed. The following steps will allow you to see the container with the deleted objects.

    To display the Deleted Objects container

1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.
2. On the Options menu, click Controls.
3. In the Controls dialog box, expand the Load Predefined pull-down menu, click Return deleted objects, and then click OK.
4. To verify that the Deleted Objects container is displayed:
   1. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then Bind. 
   2. Click View, click Tree, and in BaseDN, type DC=,DC=, where  and  represent the appropriate forest root domain name of your AD DS environment.
   3. In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=,DC=container, where  and  represent the appropriate forest root domain name of your AD DS environment.

Once you have enabled the container to be displayed, you can now restore deleted objects from Active Directory. Below are the steps to recover a single item from the recycle bin using LDP.exe.

To restore a deleted Active Directory object using Ldp.exe

1. Open Ldp.exe from an elevated command prompt. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.
2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.
3. On the Options menu, click Controls.
4. In the Controls dialog box, expand the Load Predefined drop-down list, click Return Deleted Objects, and then click OK.
5. In the console tree, navigate to the CN=Deleted Objects container.
6. Locate and right-click the deleted Active Directory object that you want to restore, and then click Modify.
7. In the Modify dialog box:
   1. In Edit Entry Attribute, type isDeleted.
   2. Leave the Values box empty.
   3. Under Operation, click Delete, and then click Enter.
   4. In Edit Entry Attribute, type distinguishedName.
   5. In Values, type the original distinguished name (also known as DN) of this Active Directory object.
   6. Under Operation, click Replace.
   7. Make sure that the Extended check box is selected, click Enter, and then click Run. 

A key point to understand and remember with AD Recycle Bin is that you must restore hierarchically; a parent object must be restored before a child object. So if you were to delete an entire OU and all its contents, you must first restore the OU before you can restore its contents.

For more information on how to restore multiple objects and OUs please use this link. 
http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx#BKMK_1

What if you need to restore objects from Active Directory and you do not have the recycle bin enabled or you are not able to upgrade your forest to Windows 2008 R2 level? You can always restore from backup, but that requires down time and restoring from a backup onto a domain controller using the Directory Services Restore Mode.

Instead of having to go through all that you can use the adrestore.exe tool. This is just a quick but dirty method of getting an object back into Active Directory. It works by locating items that have been tombstoned and restoring them. The important part is the user is restored with the same GUID in active directory so all the permissions assigned to that user are restored. But there are some limitations to using this method. The first is that items restored need their group membership and other attributes re-created. The second is that if you restore an OU and users that were in that OU, then you need to locate the users and move them back into the OU.

1. Download ADRestore.exe and drop it in in on the C: drive on a domain controller.
2. From command line navigate to the C: drive and enter the following command: adrestore -r
3. You will be prompted to the License Agreement.
4. Then it will find all the tombstoned objects and prompt if you would like to restore them.
   1. You have to press N for objects you do not want to restore and press Y for yes for the objects you do want to restore.
      
      
      In this example the temp user account was deleted.
      Running the adrestore –r command found the deleted account and allows you to restore. 
      
      
      
5. Find the user in the Active Directory Users and Computers console. Notice the objects are disabled.
6. You will need to reset the password in order to enable them. Once you have them enabled you will have to manually add them back into the correct groups, set up any profiles, reconnect mailboxes, etc…