Recover a deleted AD account w/o having a system state backup

I accidently deleted a user account while trying to delete another.  I see items that say you can use ntdsutil to recover, however I am having trouble doing so.  Additionally I do not have a system state backup, as we relied on our tape backups for this....just found out that the backup group quit doing these backups about a month ago....

How can I recover this account gracefully? - I have looked at:

but dont think this will work...any thoughts?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
Why not just recreate the account - you can reattach a mailbox (if any)
Re-create the account in ADUC but DONT add a mailbox. Open Exchange System Manager, go to the mailbox store that contains the mailbox. If the mailbox is not already marked as disconnected, right-click the Mailboxes object, and click Cleanup Agent. Then Right-click the disconnected mailbox, click Reconnect, and then select the appropriate user from the dialog box that appears.
tgrizzelAuthor Commented:
I would really like to get the mailbox and all attributes back.... what you are suggesting i have thought about as a last resort (we are on Exchange 2007 though, but I have already found his mailbox here)

Still I am looking to use the ldp.exe tool at this point, however I am running into an issue at the very end of the "restore" .. i am following the info below, however never get a user restored before step 10, rather I recieve an error....still trying at this point.

How to manually undelete objects in a deleted object's container
To manually undelete objects in a deleted object's container, follow these steps: 1. Click Start, click Run, and then type ldp.exe.

Note If the Ldp utility is not installed, install the support tools from the Windows Server 2003 installation CD.
2. Use the Connection menu in Ldp to perform the connect operations and the bind operations to a Windows Server 2003 domain controller.

Specify domain administrator credentials during the bind operation.
3. On the Options menu, click Controls.
4. In the Load Predefined list, click Return Deleted Objects.

Note The 1.2.840.113556.1.4.417 control moves to the Active Controls window.
5. Under Control Type, click Server, and the click OK.
6. On the View menu, click Tree, type the distinguished name path of the deleted objects container in the domain where the deletion occurred, and then click OK.

Note The distinguished name path is also known as the DN path. For example, if the deletion occurred in the domain, the DN path would be the following path:
cn=deleted Objects,dc=contoso,dc=com
7. In the left pane of the window, double click the Deleted Object Container.

Note As a search result of Idap query, only 1000 objects are returned by default. Fot example, if more than 1000 objects exist in the Deleted Objects container, not all objects appear in this container. If your target object does not appear, use ntdsutil, and then set the maximum number by using maxpagesize to get the search results .
8. Double-click the object that you want to undelete or to reanimate.  
9. Right-click the object that you want to reanimate, and then click Modify.

Change the value for the isDeleted attribute and the DN path in a single Lightweight Directory Access Protocol (LDAP) modify operation. To configure the Modify dialog, follow these steps: a.  In the Edit Entry Attribute box, type isDeleted.

Leave the Value box blank.
b.  Click the Delete option button, and then click Enter to make the first of two entries in the Entry List dialog.

Important Do not click Run.
c.  In the Attribute box, type distinguishedName.
d.  In the Values box, type the new DN path of the reanimated object.

For example, to reanimate the JohnDoe user account to the Mayberry OU, use the following DN path:
Note If you want to reanimate a deleted object to its original container, append the value of the deleted object's lastKnownParent attribute to its CN value, and then paste the full DN path in the Values box.
e.  In the Operation box, click REPLACE.
f.  Click ENTER.
g.  Click to select the Synchronous check box.
h.  Click to select the Extended check box.
i.  Click RUN.
10. After you reanimate the objects, click Controls on the Options menu, click the Check Out button to remove (1.2.840.113556.1.4.417) from the Active Controls box list.
11. Reset user account passwords, profiles, home directories and group memberships for the deleted users.

When the object was deleted, all the attribute values except SID, ObjectGUID, LastKnownParent and SAMAccountName were stripped.
12. Enable the reanimated account in Active Directory Users and Computers.

Note The reanimated object has the same primary SID as it had before the deletion, but the object must be added again to the same security groups to have the same level of access to resources. The first release of Windows Server 2003 does not preserve the sIDHistory attribute on reanimated user accounts, computer accounts, and security groups. Windows Server 2003 with Service Pack 1 does preserve the sIDHistory attribute on deleted objects.
13. Remove Microsoft Exchange attributes and reconnect the user to the Exchange mailbox.

Note The reanimation of deleted objects is supported when the deletion occurs on a Windows Server 2003 domain controller. The reanimation of deleted objects is not supported when the deletion occurs on a Windows 2000 domain controller that is subsequently upgraded to Windows Server 2003.

Note If the deletion occurs on a Windows 2000 domain controller in the domain, the lastParentOf attribute is not populated on Windows Server 2003 domain controllers.
Brian PiercePhotographerCommented:
The method I suggested is the recommended option - and much simpler than what you describe
tgrizzelAuthor Commented:
Wow, amazingly I got this to work... I still need to add him back to his groups, however all of the other metadata should be the same....

Thanks anyway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The LDP suggestion posted above is the fourth method directly from the MS KB article. However, depending on the User Object's security levels may not show up in the Deleted Objects container.
The other first three methods in the KB article require that a GC is located that has not been replicated and that the admin disable replication via repladmin. However, every good admin ensures that DCs are replicated quickly (especially irrelevant with Access/Security settings) because these changes are replicated immediately by MS design. I'm thinking about standing up a DC and setting the replication schedule to only every 24 hours or automate a NIC disable, perhaps then I can use the MS KB.  
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.