Restore Deleted Objects


When an object is deleted from Active Directory, it is not immediately erased, but is only marked for deletion. Deleted objects can be recovered from Active Directory within a specific retention period, which is 180 days by default.

In this tutorial, you will learn how to use Adaxes Web Interface and Administration Console to restore objects deleted from Active Directory, enable the Active Directory Recycle Bin feature on your domains, and how to delegate permissions to users to restore deleted objects.

Recycle Bin

Although Adaxes allows restoring deleted objects without Recycle Bin enabled, it is strongly recommended to enable the feature, as it allows restoring objects with all their properties preserved, while without Recycle Bin objects are restored only partially.

The process of enabling Recycle Bin is irreversible. Once enabled, it cannot be disabled.

To enable Active Directory Recycle Bin, the functional level of your Active Directory forest must be Windows Server 2008 R2 or higher. It means that all domain controllers within the forest must be running at least Windows Server 2008 R2.

To find all AD domains with Recycle Bin disabled, you can use the Domains with Recycle Bin disabled report:

  • Launch Adaxes Administration Console.
  • Expand your Adaxes service and select Reports.
  • Type Recycle Bin in the Type report name edit box located to the right.

  • Select the Domains with Recycle Bin disabled report and click Generate.

To enable Recycle Bin for a domain:

  • Right-click the domain for which you want to enable Recycle Bin.
  • Point to All Tasks, and click Enable Recycle Bin.

Permissions

The permissions to restore deleted Active Directory objects, like any other permissions in Adaxes, are granted with the help of Security Roles. You can allow users to restore all types of Active Directory objects, or just specific object types, like users, groups or computers.

To allow restoring deleted objects, a Security Role must contain the Restore Deleted Objects permission.

  • Launch Adaxes Administration Console.
  • Expand your Adaxes service, then expand Configuration and Security Roles.
  • Select the Security Role you want to modify.

  • In the Permissions section located to the right, click Add.

  • In the Operations on child objects list, check the Restore Deleted Objects permission in the Allow column.

  • To allow restoring only specific types of Active Directory objects, click Select object types and select the object types you need.

  • Click OK and then click Save changes.

For the Restore Deleted Objects permission to take effect, a Security Role must be assigned over containers, Organizational Units and domains. The permission will not apply when a Security Role is assigned over members of groups and Business Units, because deleted objects are not members of any group or Business Unit.

  • To restore an object, users must have the Restore Deleted Objects permission for the Organizational Unit or container where the object was located before deletion.
  • To restore an object to a new location, users must have the permission to restore deleted objects in both old and new locations.
  • If the Organizational Unit or container where the object was located doesn't exist, to restore the object, users must have the Restore Deleted Objects permission applied to the whole AD domain of the object.

Apart from restoring deleted Active Directory objects, it is also possible to restore Adaxes configuration objects, such as Security Roles, Property Patterns, Business Units, and Scheduled Tasks. To delegate the permission to restore Adaxes configuration objects, a Security Role must be assigned over the Configuration Objects scope.

Using Logs to Restore Objects

You can use Adaxes log records to restore deleted objects. To get access to the logs, you can either use the Logging view in Adaxes Administration Console, or reports based on log records.

To restore deleted objects using the Logging view:

  • Launch Adaxes Administration Console.
  • Expand your Adaxes service and select Logging.
  • Select Delete in the Filter Operation drop-down list located to the right.

  • Right-click a record for a delete operation and click Restore in the context menu.

Using Reports to Restore Objects

Adaxes provides a number of reports on deleted Active Directory objects, such as Recently deleted users or Recently deleted OUs. You can use the reports to restore deleted objects.

To restore objects using reports in Adaxes Web Interface:

  • Click the Reports drop-down located in the header and type Recently deleted in the edit box.

  • Select a report in the list. For example, if you want to restore an accidentally deleted Organizational Unit, select the Recently deleted OUs report.
  • Generate the selected report.
  • Select the object you want to restore and click Restore.

If necessary, you can disable the Restore Deleted Object operation in a Web Interface. For details, see Disable Operations on AD Objects.

Undo Delete

When a user accidentally deletes an Active Directory object using Adaxes, they can use the Undo Delete option to instantly recover it.

The Undo operation is only available if the user has the permission to restore the deleted object and if the Recycle Bin feature is enabled for the object's domain.

For information on how to protect Active Directory objects from accidental deletion, see Protect objects from deletion.




Open tutorial filtering

Got questions?
Support Forum