How to manually undelete objects in a deleted object’s container by LDP command in Active directory.

To manually undelete objects in a deleted object’s container, follow these steps:

1. Click Start, click Run, and then type ldp.exe.
Note If the Ldp utility is not installed, install the support tools from the Windows Server 2003 installation CD.

2. Use the Connection menu in Ldp to perform the connect operations and the bind operations to a Windows Server 2003 domain controller.Specify domain administrator credentials during the bind operation.

3. On the Options menu, click Controls.

4. In the Load Predefined list, click Return Deleted Objects.

Note The 1.2.840.113556.1.4.417 control moves to the Active Controls window.

5. Under Control Type, click Server, and the click OK.

6. On the View menu, click Tree, type the distinguished name path of the deleted objects container in the domain where the deletion occurred, and then click OK.

Note The distinguished name path is also known as the DN path. For example, if the deletion occurred in the domain, the DN path would be the following path:

cn=deleted Objects,dc=contoso,dc=com

7. In the left pane of the window, double click the Deleted Object Container.

Note As a search result of Idap query, only 1000 objects are returned by default. Fot example, if more than 1000 objects exist in the Deleted Objects container, not all objects appear in this container. If your target object does not appear, use ntdsutil, and then set the maximum number by using maxpagesize to get the search results .

8. Double-click the object that you want to undelete or to reanimate.

9. Right-click the object that you want to reanimate, and then click Modify.
Change the value for the isDeleted attribute and the DN path in a single Lightweight Directory Access Protocol (LDAP) modify operation. To configure the Modify dialog, follow these steps:

  1. In the Edit Entry Attribute box, type isDeleted.Leave the Value box blank.
  2. Click the Delete option button, and then click Enter to make the first of two entries in the Entry Listdialog.Important Do not click Run.
  3. In the Attribute box, type distinguishedName.
  4. In the Valuesbox, type the new DN path of the reanimated object.For example, to reanimate the JohnDoe user account to the Mayberry OU, use the following DN path:


Note If you want to reanimate a deleted object to its original container, append the value of the deleted object’s lastKnownParent attribute to its CN value, and then paste the full DN path in the Values box.

  1. In the Operation box, click REPLACE.
  2. Click ENTER.
  3. Click to select the Synchronous check box.
  4. Click to select the Extended check box.
  5. Click RUN.
  1. After you reanimate the objects, click Controls on the Options menu, click the Check Out button to remove (1.2.840.113556.1.4.417) from the Active Controls box list.
  1. Reset user account passwords, profiles, home directories and group memberships for the deleted users.
    When the object was deleted, all the attribute values except SID, ObjectGUID, LastKnownParent and SAMAccountName were stripped.
  1. Enable the reanimated account in Active Directory Users and Computers.Note The reanimated object has the same primary SID as it had before the deletion, but the object must be added again to the same security groups to have the same level of access to resources. The first release of Windows Server 2003 does not preserve the sIDHistory attribute on reanimated user accounts, computer accounts, and security groups. Windows Server 2003 with Service Pack 1 does preserve the sIDHistory attribute on deleted objects.
  1. Remove Microsoft Exchange attributes and reconnect the user to the Exchange mailbox.Note The reanimation of deleted objects is supported when the deletion occurs on a Windows Server 2003 domain controller. The reanimation of deleted objects is not supported when the deletion occurs on a Windows 2000 domain controller that is subsequently upgraded to Windows Server 2003.

    Note If the deletion occurs on a Windows 2000 domain controller in the domain, the lastParentOf attribute is not populated on Windows Server 2003 domain controllers.

Ref sites :  1.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: