Recover a deleted AD account w/o having a system state backup

Posted on 2008-11-05
Last Modified: 2012-05-05
I accidently deleted a user account while trying to delete another.  I see items that say you can use ntdsutil to recover, however I am having trouble doing so.  Additionally I do not have a system state backup, as we relied on our tape backups for this....just found out that the backup group quit doing these backups about a month ago....

How can I recover this account gracefully? - I have looked at:

but dont think this will work...any thoughts?
Question by:tgrizzel
    LVL 70

    Expert Comment

    Why not just recreate the account - you can reattach a mailbox (if any)
    Re-create the account in ADUC but DONT add a mailbox. Open Exchange System Manager, go to the mailbox store that contains the mailbox. If the mailbox is not already marked as disconnected, right-click the Mailboxes object, and click Cleanup Agent. Then Right-click the disconnected mailbox, click Reconnect, and then select the appropriate user from the dialog box that appears.

    Author Comment

    I would really like to get the mailbox and all attributes back.... what you are suggesting i have thought about as a last resort (we are on Exchange 2007 though, but I have already found his mailbox here)

    Still I am looking to use the ldp.exe tool at this point, however I am running into an issue at the very end of the "restore" .. i am following the info below, however never get a user restored before step 10, rather I recieve an error....still trying at this point.

    How to manually undelete objects in a deleted object's container
    To manually undelete objects in a deleted object's container, follow these steps: 1. Click Start, click Run, and then type ldp.exe.

    Note If the Ldp utility is not installed, install the support tools from the Windows Server 2003 installation CD.
    2. Use the Connection menu in Ldp to perform the connect operations and the bind operations to a Windows Server 2003 domain controller.

    Specify domain administrator credentials during the bind operation.
    3. On the Options menu, click Controls.
    4. In the Load Predefined list, click Return Deleted Objects.

    Note The 1.2.840.113556.1.4.417 control moves to the Active Controls window.
    5. Under Control Type, click Server, and the click OK.
    6. On the View menu, click Tree, type the distinguished name path of the deleted objects container in the domain where the deletion occurred, and then click OK.

    Note The distinguished name path is also known as the DN path. For example, if the deletion occurred in the domain, the DN path would be the following path:
    cn=deleted Objects,dc=contoso,dc=com
    7. In the left pane of the window, double click the Deleted Object Container.

    Note As a search result of Idap query, only 1000 objects are returned by default. Fot example, if more than 1000 objects exist in the Deleted Objects container, not all objects appear in this container. If your target object does not appear, use ntdsutil, and then set the maximum number by using maxpagesize to get the search results .
    8. Double-click the object that you want to undelete or to reanimate.  
    9. Right-click the object that you want to reanimate, and then click Modify.

    Change the value for the isDeleted attribute and the DN path in a single Lightweight Directory Access Protocol (LDAP) modify operation. To configure the Modify dialog, follow these steps: a.  In the Edit Entry Attribute box, type isDeleted.

    Leave the Value box blank.
    b.  Click the Delete option button, and then click Enter to make the first of two entries in the Entry List dialog.

    Important Do not click Run.
    c.  In the Attribute box, type distinguishedName.
    d.  In the Values box, type the new DN path of the reanimated object.

    For example, to reanimate the JohnDoe user account to the Mayberry OU, use the following DN path:
    Note If you want to reanimate a deleted object to its original container, append the value of the deleted object's lastKnownParent attribute to its CN value, and then paste the full DN path in the Values box.
    e.  In the Operation box, click REPLACE.
    f.  Click ENTER.
    g.  Click to select the Synchronous check box.
    h.  Click to select the Extended check box.
    i.  Click RUN.
    10. After you reanimate the objects, click Controls on the Options menu, click the Check Out button to remove (1.2.840.113556.1.4.417) from the Active Controls box list.
    11. Reset user account passwords, profiles, home directories and group memberships for the deleted users.

    When the object was deleted, all the attribute values except SID, ObjectGUID, LastKnownParent and SAMAccountName were stripped.
    12. Enable the reanimated account in Active Directory Users and Computers.

    Note The reanimated object has the same primary SID as it had before the deletion, but the object must be added again to the same security groups to have the same level of access to resources. The first release of Windows Server 2003 does not preserve the sIDHistory attribute on reanimated user accounts, computer accounts, and security groups. Windows Server 2003 with Service Pack 1 does preserve the sIDHistory attribute on deleted objects.
    13. Remove Microsoft Exchange attributes and reconnect the user to the Exchange mailbox.

    Note The reanimation of deleted objects is supported when the deletion occurs on a Windows Server 2003 domain controller. The reanimation of deleted objects is not supported when the deletion occurs on a Windows 2000 domain controller that is subsequently upgraded to Windows Server 2003.

    Note If the deletion occurs on a Windows 2000 domain controller in the domain, the lastParentOf attribute is not populated on Windows Server 2003 domain controllers.
    LVL 70

    Expert Comment

    The method I suggested is the recommended option - and much simpler than what you describe

    Accepted Solution

    Wow, amazingly I got this to work... I still need to add him back to his groups, however all of the other metadata should be the same....

    Thanks anyway.

    Expert Comment

    The LDP suggestion posted above is the fourth method directly from the MS KB article. However, depending on the User Object's security levels may not show up in the Deleted Objects container.
    The other first three methods in the KB article require that a GC is located that has not been replicated and that the admin disable replication via repladmin. However, every good admin ensures that DCs are replicated quickly (especially irrelevant with Access/Security settings) because these changes are replicated immediately by MS design. I'm thinking about standing up a DC and setting the replication schedule to only every 24 hours or automate a NIC disable, perhaps then I can use the MS KB.  

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
    Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now