How to restore a deleted AD object using PowerShell
说明
Occasionally, one or more active directory (AD) objects may be inadvertently deleted by sys admins. If some conditions are met, it may not be necessary to do a Domain Controller restore. There are easier ways to restore AD objects but the powershell commands below may be integrated in more comprehensive scripts.
解决办法
For illustration purposes, the domain name is set to support.test.local
Open an elevated Powershell command prompt on the domain controller Type: PS C:\>import-module ActiveDirectory
Note -- if using the Active DirectoryModule for Windows Powershell, this step is not necessary
The AD forest needs to be in Windows2008R2 mode. Get the ADforest mode. PS C:\>get-ADForest Find the ForestMode Property and make sure that it is set to Windows2008R2Forest You can elevate the Forest mode running:
Get the list of deleted objects in AD get-adobject -searchbase "cn=deleted objects,dc=support,dc=test,dc=local" -filter {*} -includedeletedobjects -properties lastknownparent > c:\deletedADObjects.txt
A list of the deleted ADobjects will be generated. Since there may be many such objects it makes sense to collect them in a text file to ease the identification of those to be restored.
Let's suppose that the AD to be restored is user "TestUser1". To restore it, please type:
After the command is executed, please check that the object has been restored indeed (some times some properties need to be re-entered manually) and force an AD replication.