Recovering Deleted AD Users (and other objects) with PowerShell

If you have to recover deleted users in AD, and don’t have the AD Recycle Bin available, PowerShell is perfect for the task.

There’s an article on TechNet  which describes using LDP or PowerShell with the Recycle Bin, but if you don’t have that enabled, there are a few things it leaves out.

If you don’t specify the “-NewName” property when using Restore-ADObject, you get the following error.

Restore-ADObject : Illegal modify operation. Some aspect of the modification is not permitted

This can be for other reasons, such as the parent/former OU being invalid (having been deleted itself), but in this case, deleted items don’t have a displayname, soooo.  Also, in the article, they filter Objects by displayname, but again, deleted objects don’t have one.  Womp Womp.

So you can try something like these commands instead.

Get-ADObject -IncludeDeletedObjects -filter {cn -like "*name*"} | Restore-ADObject -NewName "<newname>"
Get-ADObject -IncludeDeletedObjects -filter {objectguid -eq "someguid"} | Restore-ADObject -NewName "<newname>"

One response to “Recovering Deleted AD Users (and other objects) with PowerShell”

  1. SomeAdmin says :

    Thanks for providing these critical details for using the procedure without a recycle bin! This was difficult information to find on the web.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: