Editor’s Note: This is the 2nd in a series of blogs around Active Directory (AD) backup and recovery using STEALTHbits, StealthRECOVER. Read the 1st blog, An Introduction to Active Directory Backup and Recovery.
NOTE: For the purposes of this post I’m going to assume that the Active Recovery Recycle Bin has not been enabled within the domain. The AD Recycle Bin and its impact on object recovery will be covered in this series’ next post.
When an object is deleted from Active Directory it is not actually deleted, at least not right away.
This is not really a feature as much as it was the consequence of the multi-master replication implementation employed by Active Directory. This replication approach allows any domain controller to create or update an object with the changes then replicating out to other domain controllers.
Let’s use the LDP utility to take a look at what actually happens when an object is deleted. Assisting me in this endeavor will be Delete Q. Me, my handy PowerShell-generated demo user account.
It looks like a happy, healthy user account ready to participate in a demonstrative adventure. Sadly, as mentioned in the previous paragraph, I’m going to delete my poor user account for science.
Sorry, buddy.
Now that it’s gone, you may have trouble finding our dead-but-not-gone user account. LDP needs a nudge before it will show deleted objects. Within LDP, click the Options menu and select Controls. Within the Controls dialog box, open the Load Predefined dropdown, select Return deleted objects, and click OK.
The partition’s Deleted Objects container should now be visible below the root. After expanding that, we can poke around for our recently-deceased user object.
Yikes. Here’s a summary of the changes which occurred as a result of the user object’s deletion: