Note: This article was originally written on reich-consulting.net. Reich Web Consulting has narrowed its focus to the web and no longer offers tech support services, so we’ve moved all of our tech support content off-site. We hope you find this article useful. It is provided as-is, and we will no longer provide support on this topic.
Friday afternoon I received a call from a coworker who was getting an Access Denied error when she would try to print to a particular network printer. Sure enough upon inspection of the printer’s ACL I found that one of our organization’s most important Security Groups had been deleted (how that happened is another story).
Because ACLs in AD environments are based on the SID, or Security Identifier, of an object rather than it’s name, you can’t just create a new object with the same name and expect things to work. They won’t. So how do you recover the original object?
Microsoft did not see fit to give Active Directory a Recycle Bin, but they did build in a feature called the Tombstone Lifetime. When an Active Directory object is deleted the object is actually moved to a hidden container called deleted objects and it stays there for the number of days specified by the tombstone lifetime.
Using the LDAP client built into Windows Server you can restore an object that is stuck in limbo between being deleted and wiped out permanantly when it’s tombstone lifetime expires. The video below illustrates how to do it far better than I ever could.
One final note: restoring a deleted object will not restore all of it’s properties. For example when restoring a Group object the group’s membership is lost. The important part is that the object is restored with the same SID, so after you manually restore it’s members existing Access Control Lists will function as expected.
[youtube_sc url=http://www.youtube.com/watch?v=0KffgbO6CTQ width=580 rel=0 fs=1]