|
Microsoft has added support for undeleting Active Directory objects in Windows 2003 and later versions. A technical article describing the mechanism to 'undelete' can be found in MSDN under the title "Restoring Deleted Objects". Another good technical article detailing how to restore deleted AD objects is Microsoft KB 840001: How to restore deleted user accounts and their group memberships in Active Directory. Hyena implements the 'undelete' functionality exactly as documented by Microsoft in this article.
To view and attempt undeletion of Active Directory object, right click on a Windows 2003 or later domain entry in Hyena's left window, and select the View Deleted Objects... function.
To attempt undeletion of any object, select one or more entries, right click, and select Undelete. Hyena will prompt for the destination container for any 'undeleted' objects to be placed in.
Microsoft has imposed several limitations to undeletion of AD objects:
When objects are deleted in AD, most of the object attributes are permanently deleted and cannot be restored. For a typical user, for example, the user's home directory setting, description, logon restrictions, group memberships, etc. are not recoverable. Testing has shown that the user's password may not be restored either, but this may depend on local factors.
When user accounts are restored, the "User Must Change Password at Next Logon" and "Account Disabled" flags are automatically enabled by Windows.
There is a limited timeframe in which AD objects can be restored.
Microsoft has documented that undeletion is only supported if a Windows 2003 or later server is present in the domain. However, it is unclear whether the domain must be using native mode Windows 2003 or if a mixed mode Windows 200x domain can utilize the undelete capability. Testing has shown that Windows 2000 domain controllers do not appear to properly format the deleted object's directory path, thereby preventing undeletion. However, Hyena can display the former 'cn' of any deleted object on a Windows 2000 domain.
Undeleted user and groups will have the original SID restored before the object was deleted, thereby ensuring that pre-existing security settings will be unaffected by the deletion.