Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1466
  • Last Modified:

HELP!!! Need to find tombstoned AD user objects!

Hi, I am in desperate need of help.  I have some AD user accounts that were accidentally deleted and need to find out which ones are deleted so I can restore them.  I am guessing it is about 15 - 20 accounts are missing, but don't know for sure.

I have Server 2008 R2 as a DC and several Server 2003 R2 & non-R2 DCs too.

I know I will kick myself later but I am having a hard time remembering.  Of course, it doesn't help that I have never had to do this before now.

HELP, HELP HELP.

Thanks in advance.

0
rsnellman
Asked:
rsnellman
  • 14
  • 9
  • 4
  • +1
6 Solutions
 
chuck-williamsCommented:
http://technet.microsoft.com/en-us/library/cc978013.aspx

I have never done it but this seems correct.
0
 
Mike KlineCommented:
You can use a tool like adrestore  http://blogs.technet.com/b/asiasupp/archive/2006/12/14/using-adrestore-tool-to-restore-deleted-objects.aspx

There is also a GUI version called adrestore.net

You can also use LDP to view the deleted objects  http://support.microsoft.com/kb/258310

adfind by Joe Richards can also do this (I can give you examples of that if you want)

Is your forest functional level at 2008 R2...just wondering if you have the AD recycle bin on...if you do this will be a much easier situation

THanks

Mike
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
rsnellmanIT ManagerAuthor Commented:
Ok, once I have found the list of missing (deleted) user accounts, how can I restore them as if they were never deleted?  Or when restoring them they will need to be reconnected somehow, so they have access to all the shared folders, etc. they did before?
0
 
rsnellmanIT ManagerAuthor Commented:
No, my forest level is not at 2008 R2.  I wish it was now.  

I need a quick and easy as possible way to restore these accounts.  I have 39 in all.

0
 
chuck-williamsCommented:
Your best bet is a system restore backup ... is this the only domain controller?
0
 
chuck-williamsCommented:
Sorry doing too much at once ... try suggestions found here:
http://www.petri.co.il/recovering-deleted-items-active-directory.htm
0
 
rsnellmanIT ManagerAuthor Commented:
No, it is not.  But will that reanimate them as if they were never deleted?  I would hate to run into permission problems with shared folders on the file server, etc.
0
 
rsnellmanIT ManagerAuthor Commented:
We have Symantec Backup Exec.  Not sure if that will do what I am hoping for.
0
 
rsnellmanIT ManagerAuthor Commented:
OK, I have the accounts restored, but they do not have the correct memberships of groups they use to belong to nor does the mapped drives exist either on their accounts.  Will I need to do these manually?  Or does it take a few moments for them to be restored too?
0
 
chuck-williamsCommented:
I believe those are lost. You will have to redo them. The only way to avoid this would to do an authoritative restore.
0
 
Mike KlineCommented:
If you have the system state and you know what was deleted you can go through the authoritative restore process.  Not sure what the Symantec product will give you.  I think backup exec 2010 will also do an easy restore.
0
 
rsnellmanIT ManagerAuthor Commented:
How do you do an authoritative restore?  It is probably too late to it now the accounts are restored, but just for future reference.

Thanks.
0
 
rsnellmanIT ManagerAuthor Commented:
If the accounts still have permissions on the shared folders this restore I did with ADRestore.net tool will reconnect that, right?
0
 
chuck-williamsCommented:
http://technet.microsoft.com/en-us/library/cc816878(WS.10).aspx

Yea only on the folders that they had direct rights to or access via domain users or authenticated users. If you had a group called finance assigned to the share and they were in that group, you would have to add them to that group again.
0
 
NavdeepCommented:
Hi,

have you tried following the articles that i had provided you? Since if you don't know the location you need to find it manually before doing an authoritative restore of specific user accounts.

I haven't tried my self but what you can do it is create a test user give some File permissions delete it and then restore it and find out if it restores the file permissions.
0
 
rsnellmanIT ManagerAuthor Commented:
I noticed that all the accounts when restored are displaying disabled.  Is this normal?
0
 
rsnellmanIT ManagerAuthor Commented:
Also, what about their Exchange mailbox?  Will they reconnect automatically or will I need to reconnect them manually via Exchange Manager?
0
 
rsnellmanIT ManagerAuthor Commented:
ADRestore.net tool restored them to the correct OU, but did not restore the Member Of, Account info, like username & @domain.com & Profile mapped drives.

If I have them restored is it too late to attempt an authoritative restore now?
0
 
rsnellmanIT ManagerAuthor Commented:
It left everything in the Gereral tab blank, no First Name or Last Name or Display Name, etc.
0
 
Mike KlineCommented:
You can still restore them from your system state and mark them as authoritative; by the way this is the big difference with the recycle bin (all attributes get restored)

0
 
chuck-williamsCommented:
Its not too late for an authoritative restore. it just says that the AD database that is running on the restored server will be what the other databases replicate off of.
0
 
rsnellmanIT ManagerAuthor Commented:
You takling about the AD recycle bin?

Restoring them with the System State, marked as authoritative from my Symantec Backup Exec backup should do the trick and not mess up the accounts as they are already restored?
0
 
chuck-williamsCommented:
system state will overwrite anything thats done on that domain controller. The other servers will sync to match that server.
0
 
NavdeepCommented:
See in your case you don't know the location of the user objects and if you do full auth restore then whatever changes u have will be lost. So be on safe side.

create a recovery server and there you restore the system stateback up find out the correct path and then restore.

i know it's long way...
0
 
chuck-williamsCommented:
As v-2nas was saying. If you do a full auth restore lets say from Friday, then AD will be at the state it was at the backup on Friday. If you are the only admin and are sure there have been little to no changes, and can accept losing what few changes have been made, then just do the full restore. But if you are unsure then you will have to do it the long way.
0
 
Mike KlineCommented:
System state will not over ride everything.  You first do the restore and mark only those deleted accounts as authoritative.  Those will not get overwrriten.
0
 
rsnellmanIT ManagerAuthor Commented:
I was going to do a system state restore of the AD individual deleted accounts.

How do you go about making sure it is authoritative restore?
0
 
chuck-williamsCommented:
0
 
rsnellmanIT ManagerAuthor Commented:
OK, Thanks to all the immediate help.  You all are the best and gurus in my book.

I ended up using a little of everything that was mentioned, from ldp.exe to verify the deleted accounts, ADRestore.net to reanimate the deleted accounts and a backup restore to get the accounts links (permissions, mapped drives, etc.) back.  Then all I needed to do was reset each user account passwords.  I did have issues with 2 of the nearly 40 accounts, but nothing that I couldn't fix by deleted the accounts and recreating them then reconnecting their Exchange mailboxes to.

Thanks again to all.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 14
  • 9
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now