Deeper troubleshooting, like authoritative restore with NTDSUTIL

Authoritative Restore of Deleted Groups/Users Using NTDSUTIL

If Active Directory Recycle Bin is not enabled and you don’t have a backup with a simpler restore method, an authoritative restore using ntdsutil is required. This process restores deleted users or groups from an Active Directory System State backup and marks them as authoritative so they replicate across all domain controllers.

---

⚠️ Pre-Restore Considerations

1. This requires a System State Backup taken before the deletion.
2. This will restart the Domain Controller (DC) and requires Directory Services Restore Mode (DSRM).
3. Changes will be replicated across the domain once complete.
4. Group memberships might be lost for restored users, requiring manual re-assignment.

---

Step 1: Boot into Directory Services Restore Mode (DSRM)

1. Log in to the affected Domain Controller.
2. Open Run, type msconfig, and press Enter.
3. Go to the Boot tab → Check Safe boot and select Active Directory repair.
4. Click OK → Restart the server.
5. Log in using the DSRM Administrator account (not a domain account). If unsure, reset the password: powershellCopyEditntdsutil set dsrm password reset password on server null

---

Step 2: Restore System State Backup

1. Open Windows Server Backup (wbadmin.msc).
2. Select Recover → Choose the backup date.
3. Select System State → Restore to Original Location.
4. Wait for the restore to complete.

If using PowerShell:

powershell

wbadmin start systemstaterecovery -version:<backup-version> -quiet

Find available backup versions:

powershell

wbadmin get versions

---

Step 3: Perform an Authoritative Restore Using NTDSUTIL

1. Open Command Prompt (cmd).
2. Type: cmdCopyEditntdsutil
3. Enter Directory Services Restore Mode commands: cmdCopyEditactivate instance ntds authoritative restore
4. Restore the specific user or group: cmdCopyEditrestore object "CN=DeletedUser,CN=Users,DC=domain,DC=com" OR for a whole Organizational Unit (OU): cmdCopyEditrestore subtree "OU=DeletedOU,DC=domain,DC=com"
5. Type quit twice and close the Command Prompt.

---

Step 4: Reboot and Resynchronize AD

1. Open Run → msconfig.
2. Uncheck Safe Boot.
3. Restart the Domain Controller normally.

Once restarted:

powershell

repadmin /syncall /A /e /P

This forces synchronization across all domain controllers.

---

Step 5: Verify Restored Object and Permissions

1. Open Active Directory Users and Computers (ADUC).
2. Search for the restored User/Group.
3. Check group memberships (they may need re-assignment).
4. Verify folder permissions: powershellCopyEditGet-Acl "C:\YourFolder" | Format-List

If the folder still shows unknown SIDs, you must manually reapply the permissions:

powershell$Acl = Get-Acl "C:\YourFolder"
$User = "DOMAIN\User"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($User, "FullControl", "Allow")
$Acl.SetAccessRule($AccessRule)
Set-Acl "C:\YourFolder" $Acl

---

Step 6: Prevent Future Issues

• Enable AD Recycle Bin: powershellCopyEditEnable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "domain.com"
• Schedule regular System State Backups: powershellCopyEditwbadmin start backup -backupTarget:D: -include:systemstate -quiet
• Use Group Policy to enforce folder permissions instead of manual ACLs.

---

Final Notes

• If you restored an entire OU, you may need to manually re-add group memberships.
• Replication issues? Force sync with: powershellCopyEditrepadmin /syncall /A /e /d
• Check event logs for restore errors: Event Viewer → Directory Service Logs.