Recovering deleted groups and users on folder permissions in Active Directory

blog.payperitem.com,

Step 1: Check for Recent Backups

  • If you have Active Directory backups (using Windows Server Backup or a third-party tool like Veeam), restoring from backup may be the fastest way.
  • If using VM snapshots, you can revert AD to a previous state.

Step 2: Restore Deleted Users/Groups from AD Recycle Bin

If the Active Directory Recycle Bin is enabled, you can restore deleted users and groups.

Using Active Directory Administrative Center (GUI)

  1. Open Active Directory Administrative Center (dsac.exe).
  2. Navigate to Deleted Objects.
  3. Find the deleted user/group.
  4. Right-click and select Restore or Restore to.

Using PowerShell

powershell

Get-ADObject -Filter 'isDeleted -eq $True' -IncludeDeletedObjects | Format-Table Name, DistinguishedName

To restore a specific object:

powershell

Restore-ADObject -Identity "CN=DeletedUser,CN=Deleted Objects,DC=domain,DC=com"

If the Recycle Bin was not enabled, you’ll need to use authoritative restore (NTDSUTIL) or a backup.

Step 3: Check Folder Permissions (NTFS & Share)

Once the user or group is restored, check if their permissions were retained.

  1. Check the ACL on the folder:
    • Right-click the folder → Properties → Security tab → Advanced.
    • Look for Unknown Account (S-1-5-21-xxxxx), which means the original user/group was deleted.
    • If the user/group was restored, reapply permissions manually.
  2. Use PowerShell to list folder permissions:
powershell

Get-Acl "C:\YourFolder" | Format-List
  1. Reapply permissions if missing:
powershell$Acl = Get-Acl "C:\YourFolder"
$User = "DOMAIN\User"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($User, "FullControl", "Allow")
$Acl.SetAccessRule($AccessRule)
Set-Acl "C:\YourFolder" $Acl

Step 4: Restore from Backup (If Needed)

If the NTFS permissions were lost and not recoverable:

  • Restore folder permissions using a backup (e.g., Veeam, Windows Server Backup, or Shadow Copies).
  • If using Group Policy, ensure any group-based access control settings are reapplied.

Step 5: Check Event Logs

  • Open Event ViewerSecurity logs.
  • Look for Event ID 4726 (User Deletion) or Event ID 4729 (Group Deletion) to confirm what happened.
  • This can help you track down when and who deleted the object.

Step 6: Prevent Future Issues

  • Enable AD Recycle Bin if it’s not enabled (Enable-ADOptionalFeature).
  • Regularly back up Active Directory using System State backups.
  • Use Group Policy to enforce permissions instead of direct ACLs.
  • Implement audit logging to track changes in AD.

Active Directory Server 2025 Windows

Related Posts

Top Picks for Web Apps + AD + 2FA

🛡️ 1. Keycloak — Best All-Around Option 🔧 Example: You can run Keycloak as an identity provider (IdP), connect it to AD via LDAP, and use it as the login portal for all your web apps (e.g., Grafana, Jenkins, GitLab, custom apps using OIDC or SAML). 🔐 2. Authelia —…

Read More

Design and deploy AWS Managed Microsoft AD and AD Connector to meet enterprise authentication and authorization requirements

Designing and deploying AWS Managed Microsoft AD and AD Connector involves understanding their roles in extending or integrating with your on-premises Active Directory, and selecting the right solution based on use case, security, performance, and manageability. 🔧 SCENARIO OVERVIEW You need to provide enterprise-grade authentication and authorization across AWS resources…

Read More