Solved

HELP!!!  Need to find tombstoned AD user objects!

Posted on 2011-02-22
30
1,446 Views
Last Modified: 2012-06-21
Hi, I am in desperate need of help.  I have some AD user accounts that were accidentally deleted and need to find out which ones are deleted so I can restore them.  I am guessing it is about 15 - 20 accounts are missing, but don't know for sure.

I have Server 2008 R2 as a DC and several Server 2003 R2 & non-R2 DCs too.

I know I will kick myself later but I am having a hard time remembering.  Of course, it doesn't help that I have never had to do this before now.

HELP, HELP HELP.

Thanks in advance.

0
Comment
Question by:rsnellman
  • 14
  • 9
  • 4
  • +1
30 Comments
 
LVL 6

Assisted Solution

by:chuck-williams
chuck-williams earned 200 total points
Comment Utility
http://technet.microsoft.com/en-us/library/cc978013.aspx

I have never done it but this seems correct.
0
 
LVL 12

Accepted Solution

by:
Navdeep earned 250 total points
Comment Utility
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 50 total points
Comment Utility
You can use a tool like adrestore  http://blogs.technet.com/b/asiasupp/archive/2006/12/14/using-adrestore-tool-to-restore-deleted-objects.aspx

There is also a GUI version called adrestore.net

You can also use LDP to view the deleted objects  http://support.microsoft.com/kb/258310

adfind by Joe Richards can also do this (I can give you examples of that if you want)

Is your forest functional level at 2008 R2...just wondering if you have the AD recycle bin on...if you do this will be a much easier situation

THanks

Mike
0
 

Author Comment

by:rsnellman
Comment Utility
Ok, once I have found the list of missing (deleted) user accounts, how can I restore them as if they were never deleted?  Or when restoring them they will need to be reconnected somehow, so they have access to all the shared folders, etc. they did before?
0
 

Author Comment

by:rsnellman
Comment Utility
No, my forest level is not at 2008 R2.  I wish it was now.  

I need a quick and easy as possible way to restore these accounts.  I have 39 in all.

0
 
LVL 6

Expert Comment

by:chuck-williams
Comment Utility
Your best bet is a system restore backup ... is this the only domain controller?
0
 
LVL 6

Assisted Solution

by:chuck-williams
chuck-williams earned 200 total points
Comment Utility
Sorry doing too much at once ... try suggestions found here:
http://www.petri.co.il/recovering-deleted-items-active-directory.htm
0
 

Author Comment

by:rsnellman
Comment Utility
No, it is not.  But will that reanimate them as if they were never deleted?  I would hate to run into permission problems with shared folders on the file server, etc.
0
 

Author Comment

by:rsnellman
Comment Utility
We have Symantec Backup Exec.  Not sure if that will do what I am hoping for.
0
 

Author Comment

by:rsnellman
Comment Utility
OK, I have the accounts restored, but they do not have the correct memberships of groups they use to belong to nor does the mapped drives exist either on their accounts.  Will I need to do these manually?  Or does it take a few moments for them to be restored too?
0
 
LVL 6

Expert Comment

by:chuck-williams
Comment Utility
I believe those are lost. You will have to redo them. The only way to avoid this would to do an authoritative restore.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
If you have the system state and you know what was deleted you can go through the authoritative restore process.  Not sure what the Symantec product will give you.  I think backup exec 2010 will also do an easy restore.
0
 

Author Comment

by:rsnellman
Comment Utility
How do you do an authoritative restore?  It is probably too late to it now the accounts are restored, but just for future reference.

Thanks.
0
 

Author Comment

by:rsnellman
Comment Utility
If the accounts still have permissions on the shared folders this restore I did with ADRestore.net tool will reconnect that, right?
0
 
LVL 6

Assisted Solution

by:chuck-williams
chuck-williams earned 200 total points
Comment Utility
http://technet.microsoft.com/en-us/library/cc816878(WS.10).aspx

Yea only on the folders that they had direct rights to or access via domain users or authenticated users. If you had a group called finance assigned to the share and they were in that group, you would have to add them to that group again.
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 12

Expert Comment

by:Navdeep
Comment Utility
Hi,

have you tried following the articles that i had provided you? Since if you don't know the location you need to find it manually before doing an authoritative restore of specific user accounts.

I haven't tried my self but what you can do it is create a test user give some File permissions delete it and then restore it and find out if it restores the file permissions.
0
 

Author Comment

by:rsnellman
Comment Utility
I noticed that all the accounts when restored are displaying disabled.  Is this normal?
0
 

Author Comment

by:rsnellman
Comment Utility
Also, what about their Exchange mailbox?  Will they reconnect automatically or will I need to reconnect them manually via Exchange Manager?
0
 

Author Comment

by:rsnellman
Comment Utility
ADRestore.net tool restored them to the correct OU, but did not restore the Member Of, Account info, like username & @domain.com & Profile mapped drives.

If I have them restored is it too late to attempt an authoritative restore now?
0
 

Author Comment

by:rsnellman
Comment Utility
It left everything in the Gereral tab blank, no First Name or Last Name or Display Name, etc.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
You can still restore them from your system state and mark them as authoritative; by the way this is the big difference with the recycle bin (all attributes get restored)

0
 
LVL 6

Expert Comment

by:chuck-williams
Comment Utility
Its not too late for an authoritative restore. it just says that the AD database that is running on the restored server will be what the other databases replicate off of.
0
 

Author Comment

by:rsnellman
Comment Utility
You takling about the AD recycle bin?

Restoring them with the System State, marked as authoritative from my Symantec Backup Exec backup should do the trick and not mess up the accounts as they are already restored?
0
 
LVL 6

Expert Comment

by:chuck-williams
Comment Utility
system state will overwrite anything thats done on that domain controller. The other servers will sync to match that server.
0
 
LVL 12

Expert Comment

by:Navdeep
Comment Utility
See in your case you don't know the location of the user objects and if you do full auth restore then whatever changes u have will be lost. So be on safe side.

create a recovery server and there you restore the system stateback up find out the correct path and then restore.

i know it's long way...
0
 
LVL 6

Expert Comment

by:chuck-williams
Comment Utility
As v-2nas was saying. If you do a full auth restore lets say from Friday, then AD will be at the state it was at the backup on Friday. If you are the only admin and are sure there have been little to no changes, and can accept losing what few changes have been made, then just do the full restore. But if you are unsure then you will have to do it the long way.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
System state will not over ride everything.  You first do the restore and mark only those deleted accounts as authoritative.  Those will not get overwrriten.
0
 

Author Comment

by:rsnellman
Comment Utility
I was going to do a system state restore of the AD individual deleted accounts.

How do you go about making sure it is authoritative restore?
0
 
LVL 6

Assisted Solution

by:chuck-williams
chuck-williams earned 200 total points
Comment Utility
0
 

Author Comment

by:rsnellman
Comment Utility
OK, Thanks to all the immediate help.  You all are the best and gurus in my book.

I ended up using a little of everything that was mentioned, from ldp.exe to verify the deleted accounts, ADRestore.net to reanimate the deleted accounts and a backup restore to get the accounts links (permissions, mapped drives, etc.) back.  Then all I needed to do was reset each user account passwords.  I did have issues with 2 of the nearly 40 accounts, but nothing that I couldn't fix by deleted the accounts and recreating them then reconnecting their Exchange mailboxes to.

Thanks again to all.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now