Oct 21, 2015

Using LDP.exe to restore deleted AD objects

The whole process is described here, however, what the article failed to mention:

  • you must use LDAPS to connect to AD
  • When type in new DN, make sure you type in CN portion as well. Most people tend to copy only OU path
  • You need to connect to AD using a user account in local domain, otherwise you won't be see any object under "Deleted Objects" OU

To restore a deleted Active Directory object using Ldp.exe

  1. Open Ldp.exe from an elevated command prompt. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.
  2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.
  3. On the Options menu, click Controls.
  4. In the Controls dialog box, expand the Load Predefined drop-down list, click Return Deleted Objects, and then click OK.
  5. In the console tree, navigate to the CN=Deleted Objects container.
  6. Locate and right-click the deleted Active Directory object that you want to restore, and then click Modify.
  7. In the Modify dialog box:
    1. In Edit Entry Attribute, type isDeleted.
    2. Leave the Values box empty.
    3. Under Operation, click Delete, and then click Enter.
    4. In Edit Entry Attribute, type distinguishedName.
    5. In Values, type the original distinguished name (also known as DN) of this Active Directory object.
    6. Under Operation, click Replace.
    7. Make sure that the Extended check box is selected, click Enter, and then click Run