Powershell AD Recovery


Before you can and need to recover AD objects you have to setup your AD to enable this. You will need to be at forest functional level 2008r2 or above.

Think up front about:

  • Protect from accidental deletion
  • AD recycle bin

You can protect AD object from accidental deletion. You can apply this on OU’s users, groups etc.. What happens when you set this option is it will add an ACL of deny deletion of the object for everyone. As you may know, a deny will overrule always.

To get the protection status on a user:

To enable the protection for this user use a Set-ADobject on the user and the property:

To use this on different objects and protect your AD the big way:

To remove the user from the AD you first have to remove the protection from it, then you can delete it:


The AD Recycle Bin can be used to recover AD objects, just like an ordinary recycle bin. You need to enable the recycle bin before you can use it. Remember, the forest needs to be 2008R2 or higher. To check the forest level:

To enable the Recycle Bin:

To get the information about one deleted user:

To restore the deleted user simply put the Restore-ADObject at the end of the pipeline:

Lets ramp things up a little bit. Now we focus on a restore of a OU with the objects in it. You have to recursively restore the deleted objects.

This I have to build or Google so no code for this part yet…. Just google for AD recursively restore

Leave a Reply

Your email address will not be published. Required fields are marked *