JSI Tip 8000. How do I restore deleted user accounts and their group memberships in Active Directory?

Jerold Schulman

May 3, 2004

1 Min Read
ITPro Today logo in a gray background | ITPro Today

Microsoft Knowledge Base Article 840001 contains the following summary:

You can use two methods to restore deleted user accounts, computer accounts, and security groups. These objects are known collectively as security principals. In both methods, you authoritatively restore the deleted objects, and then you restore group membership information for the deleted security principals. When you restore a deleted object, you must restore the former values of the member and memberOf attributes in the affected security principal. The two methods are:

Method 1: Restore the deleted user accounts, and then add the restored users back to their groups

Method 2: Authoritatively restore the deleted user accounts and the deleted users' security groups two times

Method 1 provides a better experience for domain users and administrators because it preserves the additions to security groups that were made between the time of the last system state backup and the time the deletion occurred. In method 2, instead of making individual adjustments to security principals, you roll back security group memberships to their state at the time of the last backup.

If you do not have a valid backup of the system state, and the domain where the deletion occurred contains Windows Server 2003-based domain controllers, you can manually or programmatically recover the deleted objects. You can also use the Repadmin utility to determine when and where a user was deleted.

Most large-scale deletions are accidental. Microsoft recommends that you take several steps to prevent others from deleting objects in bulk.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like