Authoritative Restore of Deleted Groups/Users Using NTDSUTIL
If Active Directory Recycle Bin is not enabled and you don’t have a backup with a simpler restore method, an authoritative restore using ntdsutil is required. This process restores deleted users or groups from an Active Directory System State backup and marks them as authoritative so they replicate across all domain controllers.
⚠️ Pre-Restore Considerations
- This requires a System State Backup taken before the deletion.
- This will restart the Domain Controller (DC) and requires Directory Services Restore Mode (DSRM).
- Changes will be replicated across the domain once complete.
- Group memberships might be lost for restored users, requiring manual re-assignment.
Step 1: Boot into Directory Services Restore Mode (DSRM)
- Log in to the affected Domain Controller.
- Open Run, type
msconfig, and press Enter. - Go to the Boot tab → Check Safe boot and select Active Directory repair.
- Click OK → Restart the server.
- Log in using the DSRM Administrator account (not a domain account). If unsure, reset the password: powershellCopyEdit
ntdsutil set dsrm password reset password on server null
Step 2: Restore System State Backup
- Open Windows Server Backup (
wbadmin.msc). - Select Recover → Choose the backup date.
- Select System State → Restore to Original Location.
- Wait for the restore to complete.
If using PowerShell:
powershellwbadmin start systemstaterecovery -version:<backup-version> -quiet
Find available backup versions:
powershellwbadmin get versions
Step 3: Perform an Authoritative Restore Using NTDSUTIL
- Open Command Prompt (cmd).
- Type: cmdCopyEdit
ntdsutil - Enter Directory Services Restore Mode commands: cmdCopyEdit
activate instance ntds authoritative restore - Restore the specific user or group: cmdCopyEdit
restore object "CN=DeletedUser,CN=Users,DC=domain,DC=com"OR for a whole Organizational Unit (OU): cmdCopyEditrestore subtree "OU=DeletedOU,DC=domain,DC=com" - Type
quittwice and close the Command Prompt.
Step 4: Reboot and Resynchronize AD
- Open Run →
msconfig. - Uncheck Safe Boot.
- Restart the Domain Controller normally.
Once restarted:
powershellrepadmin /syncall /A /e /P
This forces synchronization across all domain controllers.
Step 5: Verify Restored Object and Permissions
- Open Active Directory Users and Computers (ADUC).
- Search for the restored User/Group.
- Check group memberships (they may need re-assignment).
- Verify folder permissions: powershellCopyEdit
Get-Acl "C:\YourFolder" | Format-List
If the folder still shows unknown SIDs, you must manually reapply the permissions:
powershell$Acl = Get-Acl "C:\YourFolder"
$User = "DOMAIN\User"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($User, "FullControl", "Allow")
$Acl.SetAccessRule($AccessRule)
Set-Acl "C:\YourFolder" $Acl
Step 6: Prevent Future Issues
- Enable AD Recycle Bin: powershellCopyEdit
Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "domain.com" - Schedule regular System State Backups: powershellCopyEdit
wbadmin start backup -backupTarget:D: -include:systemstate -quiet - Use Group Policy to enforce folder permissions instead of manual ACLs.
Final Notes
- If you restored an entire OU, you may need to manually re-add group memberships.
- Replication issues? Force sync with: powershellCopyEdit
repadmin /syncall /A /e /d - Check event logs for restore errors:
Event Viewer → Directory Service Logs.
