Restore deleted objects

Using Adaxes, you can restore deleted directory objects within a certain time period after deletion. In Active Directory, deleted objects are first placed into the Recycle Bin, and can be recovered within 180 days by default. Microsoft Entra ID keeps the deleted objects in soft-deleted state for 30 days by default.

In Microsoft Entra ID, only users and Microsoft 365 groups are soft-deleted. Security groups are deleted completely and can't be restored.

In this tutorial, you will learn how to use Adaxes Web interface and Administration console to restore deleted objects, enable the Active Directory Recycle Bin feature on your domains, and how to delegate permissions to users to restore deleted objects.

Recycle Bin

Although Adaxes allows restoring deleted objects without Recycle Bin enabled in your domain, it is strongly recommended to enable the feature, as it allows restoring objects with all their properties preserved, while without Recycle Bin objects are restored only partially.

The process of enabling Recycle Bin is irreversible. Once enabled, it cannot be disabled.

In Microsoft Entra ID, Recycle Bin is always enabled from the start. To enable the Recycle Bin in Active Directory, the functional level of your Active Directory forest must be Windows Server 2008 R2 or higher. It means that all domain controllers within the forest must be running at least Windows Server 2008 R2.

 How to enable the Recycle Bin { #howto-enable-recyclebin}

To find all AD domains with Recycle Bin disabled, you can use the Domains with Recycle Bin disabled report:

  • Launch Adaxes Administration console.

  • Expand your Adaxes service and select Reports.

  • Type Recycle Bin in the Type report name edit box located to the right.

  • Select the Domains with Recycle Bin disabled report and click Generate.

To enable Recycle Bin for a domain:

  • Right-click the domain for which you want to enable Recycle Bin.

  • Point to All Tasks, and click Enable Recycle Bin.

Permissions

The permissions to restore deleted objects, like any other permissions in Adaxes, are granted with the help of security roles. You can allow users to restore all types of objects, or just specific object types like users, groups, or computers.

To allow restoring deleted objects, a security role must contain the Restore Deleted Objects permission.

 How to add Restore Deleted Objects permission { #howto-add-restore-permission}
  • Launch Adaxes Administration console.

  • Expand your Adaxes service, then expand Configuration and Security Roles.

  • Select the security role you want to modify.

  • In the Permissions section located to the right, click Add.

  • In the Operations on child objects list, check the Restore Deleted Objects permission in the Allow column.

  • To allow restoring only specific types of directory objects, click Select object types and select the object types you need.

  • Click OK and then click Save changes.

For the Restore Deleted Objects permission to take effect, a security role must be assigned over containers, organizational units, and domains. The permission will not apply when a security role is assigned over members of groups and business units, because deleted objects are not members of any group or business unit.

  • To restore an object, users must have the Restore Deleted Objects permission for the organizational unit or container where the object was located before deletion.

  • To restore an object to a new location, users must have the permission to restore deleted objects in both old and new locations.

  • If the organizational unit or container where the object was located doesn't exist, to restore the object, users must have the Restore Deleted Objects permission applied to the whole domain of the object.

Apart from restoring deleted directory objects, it is also possible to restore Adaxes configuration objects, such as security roles, property patterns, business units, and scheduled tasks. To delegate the permission to restore Adaxes configuration objects, a security role must be assigned over the Configuration Objects scope.

Using logs to restore objects

You can use Adaxes log records to restore deleted objects. To get access to the logs, you can either use the Logging view in Adaxes Administration console, or reports based on log records.

To restore deleted objects using the Logging view:

  • Launch Adaxes Administration console.

  • Expand your Adaxes service and select Logging.

  • Select Delete in the Filter Operation drop-down list located to the right.

  • Right-click a record for a delete operation and click Restore in the context menu.

Using reports to restore objects

Adaxes provides a number of reports on deleted directory objects, such as Recently deleted users or Recently deleted OUs. You can use the reports to restore deleted objects.

To restore objects using reports in Adaxes Web interface:

  • Click the Reports drop-down located in the header and type Recently deleted in the edit box.

  • Select a report in the list. For example, if you want to restore an accidentally deleted organizational unit, select the Recently deleted OUs report.

  • Generate the selected report.

  • Select the object you want to restore and click Restore.

If necessary, you can disable the Restore Deleted Object operation in a Web interface. For details, see Disable operations on directory objects.

Undo delete

When a user accidentally deletes an object using Adaxes, they can use the Undo Delete option to instantly recover it.

The Undo operation is only available if the user has the permission to restore the deleted object and if the Recycle Bin feature is enabled for the object's domain.

For information on how to protect objects from accidental deletion, see Protect objects from deletion. Both, directory objects and Adaxes configuration objects can be protected from accidental deletion.