Being able to get back Active Directory objects that are accidentally deleted is very valuable when it happens, but until it happens to you, it’s not really something you think much about. Our service provides an item-level restore capability for those harrowing moments when you (or we) have made a mistake.
For a long time, the product story around restoring accidentally deleted directory objects was not good, with a risky authoritative restore required that only gave you back the last backed up version of the deleted objects, forced you to take a DC offline, and could result in even worse outcomes. This story was bad enough that we didn’t support doing it.
The Offering
If you’ve deleted a directory object or objects, for 180 days after the deletion, you can request that we restore it. After 180 days, we will be unable to restore the object. We’ll use the Active Directory Recycle Bin feature to recover your deleted object, restoring it to the original parent container that it was in prior to deletion. The data retained by the Active Directory Recycle Bin feature is the limit of what we’ll be able to restore, but fortunately, that is a pretty decent set of data.
In general, this offering is scoped to delegated OU customers. However, there are cases where we’ll entertain restore requests for objects outside of delegated OUs. Restoring users or groups (or any object not in your OU) is possible, but the MI service will require additional approvals.
If you want to restore a computer object, keep in mind that there is a chance that the password on that computer object may not be valid, and you may need to do a secure channel reset to get the computer re-connected to that computer object. In some cases, you may be better off just recreating the computer object from scratch.
If you’d like to have a user restored, we’ll need to involve the UW NetID service, and we provide no guarantees that your request will be fulfilled.
If you’d like to have a group restored, we’ll need to verify you have the authority to recreate a group with the same name in the Groups Service before proceeding. After restoration of the group, you’ll need to recreate the group in the Groups Service to restore the group to it’s proper state where it can be managed.
What do I do?
Open a help request via help@uw.edu with a subject line of “NETID domain item restore”. To the best of your ability, please provide the following information:
- Name of object. Preferably the distinguishedName (DN), but a CN or samAccountName is OK.
- Location of object. What object was the parent?
- How long ago you deleted the object.