Whats wrong with this command???


  • I am trying to restore object and can find it but it wont restore!  If i search by name or display name i get similar error in first place but with samaccountname i can locate it but cant restore. I tried LDAP method and got error there too of different kind.

    PS C:\Users\administrator.domain> Get-ADObject -Filter {samaccountname -eq
    "XenTmplt$"} -IncludeDeletedObjects

    Deleted           : True
    DistinguishedName : CN=XENTMPLT\0ADEL:e51eef47-02ba-40c7-acb9-fea3f9a0af7b,CN=D
                        eleted Objects,DC=domain,DC=local
    Name              : XENTMPLT
    ObjectClass       : computer
    ObjectGUID        : e51eef47-02ba-40c7-acb9-fea3f9a0af7b


    PS C:\Users\administrator.domain> Get-ADObject -Filter {samaccountname -eq
    "XenTmplt$"} -IncludeDeletedObjects | Restore-ADObject
    Restore-ADObject : Illegal modify operation. Some aspect of the modification is
     not permitted
    At line:1 char:96
    + Get-ADObject -Filter {samaccountname -eq "XenTmplt$"} -IncludeDeletedObjects
    | Restore-ADObject <<<<
        + CategoryInfo          : InvalidOperation: (CN=XENTMPLT\0AD...lacorp,DC=l
       ocal:ADObject) [Restore-ADObject], ADIllegalModifyOperationException
        + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.

    Thursday, June 21, 2012 4:18 PM


All replies

  • Hi,

    have you enabled the Active Directory trash?

    regards Thomas Paetzold visit my blog on:

    Thursday, June 21, 2012 7:21 PM
  • Is it possible there is another object with the same cn in the lastKnownParent, or with the same sAMAccountName anywhere in the domain?

    Richard Mueller - MVP Directory Services

    Thursday, June 21, 2012 9:22 PM
  • Hi,

    I would like to know that have you enable AD Recycle Bin.

    The below blog is talk about this, please go through it, you will find out the proper way to restore deleted objects:

    The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting

    Hope this helps.


    Yan Li


    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Yan Li

    TechNet Community Support

    Friday, June 22, 2012 5:25 AM
  • So again...

    get-adobject -filter 'samaccountname -like "user*"' -IncludeDeletedObjects | Restore-ADObject

    should work.  but it doesn't.

    I assume the recyclebin is on.  (how do you tell?)  if it's not on, turning it on isn't going to help...

    why does this happen?

    Restore-ADObject : Illegal modify operation. Some aspect of the modification is
     not permitted
    At line:1 char:93
    + get-adobject -filter 'samaccountname -eq "user"' -IncludeDeletedObjects | R
    estore-ADObject <<<<
        + CategoryInfo          : InvalidOperation: (CN=user\,DC=domain:ADObject) [Restore-ADObject], ADIllegalModifyOperationException
        + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.

    Friday, August 02, 2013 1:35 AM
  • Hello, 

    You don't need recyclebin enabled in your domain in order to restore an object in Active Directory via PowerShell.

    Get-ADObject -filter 'samaccountname -like "user*"' -IncludeDeletedObjects | Foreach-Object{Restore-ADObject $_ -NewName $_.Name -TargetPath $_.LastKnownParent}

    "Illegal modify operation." exist because of the '-NewName' parameter not specified.

    But, if recyclebin is off, the user account that has been restored is only member of "Domain Users" group and has lost attributes that existed before it was deleted (drive, town, name, ...).

    The good news is that your account has kept his original SID ...


    Matthew BETTON

    Friday, October 04, 2013 10:13 AM
  • Put the samAccountName in single quotes so it's not trying to interpret the dollar sign.
    Tuesday, October 07, 2014 6:19 PM
  • Ordinarily, "$" characters in double quoted strings in PowerShell are resolved. For example, if $Var = "Something", then "Value is $Var" is resolved into "Value is Something". But the exception is trailing "$" characters in a string (where the last character in the string is "$"). Then the "$" is not resolved into anything (like a null or blank). The character remains literally.

    Richard Mueller - MVP Directory Services

    Tuesday, October 07, 2014 7:35 PM