Solved

HELP!!!  Need to find tombstoned AD user objects!

Posted on 2011-02-22
30
1,454 Views
Last Modified: 2012-06-21
Hi, I am in desperate need of help.  I have some AD user accounts that were accidentally deleted and need to find out which ones are deleted so I can restore them.  I am guessing it is about 15 - 20 accounts are missing, but don't know for sure.

I have Server 2008 R2 as a DC and several Server 2003 R2 & non-R2 DCs too.

I know I will kick myself later but I am having a hard time remembering.  Of course, it doesn't help that I have never had to do this before now.

HELP, HELP HELP.

Thanks in advance.

0
Comment
Question by:rsnellman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 9
  • 4
  • +1
30 Comments
 
LVL 6

Assisted Solution

by:chuck-williams
chuck-williams earned 200 total points
ID: 34954937
http://technet.microsoft.com/en-us/library/cc978013.aspx

I have never done it but this seems correct.
0
 
LVL 12

Accepted Solution

by:
Navdeep earned 250 total points
ID: 34954957
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 50 total points
ID: 34954968
You can use a tool like adrestore  http://blogs.technet.com/b/asiasupp/archive/2006/12/14/using-adrestore-tool-to-restore-deleted-objects.aspx

There is also a GUI version called adrestore.net

You can also use LDP to view the deleted objects  http://support.microsoft.com/kb/258310

adfind by Joe Richards can also do this (I can give you examples of that if you want)

Is your forest functional level at 2008 R2...just wondering if you have the AD recycle bin on...if you do this will be a much easier situation

THanks

Mike
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:rsnellman
ID: 34955127
Ok, once I have found the list of missing (deleted) user accounts, how can I restore them as if they were never deleted?  Or when restoring them they will need to be reconnected somehow, so they have access to all the shared folders, etc. they did before?
0
 

Author Comment

by:rsnellman
ID: 34955179
No, my forest level is not at 2008 R2.  I wish it was now.  

I need a quick and easy as possible way to restore these accounts.  I have 39 in all.

0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 34955197
Your best bet is a system restore backup ... is this the only domain controller?
0
 
LVL 6

Assisted Solution

by:chuck-williams
chuck-williams earned 200 total points
ID: 34955258
Sorry doing too much at once ... try suggestions found here:
http://www.petri.co.il/recovering-deleted-items-active-directory.htm
0
 

Author Comment

by:rsnellman
ID: 34955263
No, it is not.  But will that reanimate them as if they were never deleted?  I would hate to run into permission problems with shared folders on the file server, etc.
0
 

Author Comment

by:rsnellman
ID: 34955268
We have Symantec Backup Exec.  Not sure if that will do what I am hoping for.
0
 

Author Comment

by:rsnellman
ID: 34955388
OK, I have the accounts restored, but they do not have the correct memberships of groups they use to belong to nor does the mapped drives exist either on their accounts.  Will I need to do these manually?  Or does it take a few moments for them to be restored too?
0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 34955405
I believe those are lost. You will have to redo them. The only way to avoid this would to do an authoritative restore.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34955446
If you have the system state and you know what was deleted you can go through the authoritative restore process.  Not sure what the Symantec product will give you.  I think backup exec 2010 will also do an easy restore.
0
 

Author Comment

by:rsnellman
ID: 34955459
How do you do an authoritative restore?  It is probably too late to it now the accounts are restored, but just for future reference.

Thanks.
0
 

Author Comment

by:rsnellman
ID: 34955482
If the accounts still have permissions on the shared folders this restore I did with ADRestore.net tool will reconnect that, right?
0
 
LVL 6

Assisted Solution

by:chuck-williams
chuck-williams earned 200 total points
ID: 34955509
http://technet.microsoft.com/en-us/library/cc816878(WS.10).aspx

Yea only on the folders that they had direct rights to or access via domain users or authenticated users. If you had a group called finance assigned to the share and they were in that group, you would have to add them to that group again.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34955547
Hi,

have you tried following the articles that i had provided you? Since if you don't know the location you need to find it manually before doing an authoritative restore of specific user accounts.

I haven't tried my self but what you can do it is create a test user give some File permissions delete it and then restore it and find out if it restores the file permissions.
0
 

Author Comment

by:rsnellman
ID: 34955561
I noticed that all the accounts when restored are displaying disabled.  Is this normal?
0
 

Author Comment

by:rsnellman
ID: 34955570
Also, what about their Exchange mailbox?  Will they reconnect automatically or will I need to reconnect them manually via Exchange Manager?
0
 

Author Comment

by:rsnellman
ID: 34955592
ADRestore.net tool restored them to the correct OU, but did not restore the Member Of, Account info, like username & @domain.com & Profile mapped drives.

If I have them restored is it too late to attempt an authoritative restore now?
0
 

Author Comment

by:rsnellman
ID: 34955612
It left everything in the Gereral tab blank, no First Name or Last Name or Display Name, etc.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34955630
You can still restore them from your system state and mark them as authoritative; by the way this is the big difference with the recycle bin (all attributes get restored)

0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 34955640
Its not too late for an authoritative restore. it just says that the AD database that is running on the restored server will be what the other databases replicate off of.
0
 

Author Comment

by:rsnellman
ID: 34955647
You takling about the AD recycle bin?

Restoring them with the System State, marked as authoritative from my Symantec Backup Exec backup should do the trick and not mess up the accounts as they are already restored?
0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 34955656
system state will overwrite anything thats done on that domain controller. The other servers will sync to match that server.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 34955670
See in your case you don't know the location of the user objects and if you do full auth restore then whatever changes u have will be lost. So be on safe side.

create a recovery server and there you restore the system stateback up find out the correct path and then restore.

i know it's long way...
0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 34955710
As v-2nas was saying. If you do a full auth restore lets say from Friday, then AD will be at the state it was at the backup on Friday. If you are the only admin and are sure there have been little to no changes, and can accept losing what few changes have been made, then just do the full restore. But if you are unsure then you will have to do it the long way.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34955786
System state will not over ride everything.  You first do the restore and mark only those deleted accounts as authoritative.  Those will not get overwrriten.
0
 

Author Comment

by:rsnellman
ID: 34955957
I was going to do a system state restore of the AD individual deleted accounts.

How do you go about making sure it is authoritative restore?
0
 
LVL 6

Assisted Solution

by:chuck-williams
chuck-williams earned 200 total points
ID: 34956036
0
 

Author Comment

by:rsnellman
ID: 34969864
OK, Thanks to all the immediate help.  You all are the best and gurus in my book.

I ended up using a little of everything that was mentioned, from ldp.exe to verify the deleted accounts, ADRestore.net to reanimate the deleted accounts and a backup restore to get the accounts links (permissions, mapped drives, etc.) back.  Then all I needed to do was reset each user account passwords.  I did have issues with 2 of the nearly 40 accounts, but nothing that I couldn't fix by deleted the accounts and recreating them then reconnecting their Exchange mailboxes to.

Thanks again to all.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question