Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Who Deleted AD Account

Posted on 2013-01-02
4
Medium Priority
?
936 Views
Last Modified: 2013-11-22
Missing user accounts from AD, any way to tell what happen?
0
Comment
Question by:SBelmont2012
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 38736637
Here's a nice blog article with a solution for you to play with:
http://blogs.technet.com/b/brad_rutkowski/archive/2006/09/21/hey-who-deleted-that-user-from-ad.aspx
0
 
LVL 10

Expert Comment

by:Prashant Girennavar
ID: 38736679
Without Auditing enabled , it is impossible to check who has deleted the account.

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ba11d5a2-f30b-4163-913e-21f3941593c3/

If you want to restore the deleted the user account , please use the LDP.exe tool to do it , since each object in AD has some Thumstone life

http://technet.microsoft.com/en-us/library/dd581644(WS.10).aspx#restore_deleted_object_LDP

1.Log on to the Windows Server 2008 domain controller DC1 with Enterprise Admin or Domain Admin credentials.

2.Click Start, click Run, type ldp.exe, and then click OK.

3.Click Connection, and then click Connect.

4.Because you are logged on to the domain controller that hosts the forest root domain, click OK.

5.Click Connection again, and then click Bind.

6.Under Bind type, ensure that Bind as currently logged on user is selected, and then click OK.

7.Click View, and then click Tree. In BaseDN, type DC=Fabrikam,DC=com, and then click OK.

8.Click Options, and then click Controls. In the Load Predefined menu, click Return Deleted Objects, click Check Out, click Check In, and then click OK.

9.In the console tree, expand DC=Fabrikam,DC=com, double-click CN=Deleted Objects,DC=Fabrikam,DC=com, and then double-click CN=Arlene Huff\0ADEL:{objectGUID},CN=Deleted Objects,DC=Fabrikam,DC=com to open the object properties.

10.Right-click CN=Arlene Huff\0ADEL:objectGUID,CN=Deleted Objects,DC=Fabrikam,DC=com, and then click Modify.

11.In the Modify dialog box, do the following:

a.In Edit Entry Attribute, type isDeleted.


b.Under Operation, click Delete, and then click Enter.


c.Return to Edit Entry Attribute, and then type distinguishedName. (If the text isDeleted is still present in the box, remove it.)


d.In the details pane, under Dn: CN=Arlene Huff\0ADEL:objectGUID,CN=Deleted Objects,DC=Fabrikam,DC=com, copy the value for the lastknownParent attribute, and then paste it in Values. Amend this text with the CN of Arlene Huff, minus the mangled portion (\0ADEL:objectGUID) of the distinguished name, for example:

CN=Arlene Huff,OU=Finance,DC=Fabrikam,DC=com


12.Under Operation, click Replace, click Enter, ensure that the Extended check box is selected, and then click Run. You will see a confirmation message.

13.Click Close to close the Modify dialog box, and then minimize LDP.

14.Open the Active Directory Users and Computers snap-in. To open Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.

15.Click the Finance OU, and ensure that the user Arlene Huff is present.

Regards,

_Prashant_
0
 
LVL 6

Accepted Solution

by:
mo_patel earned 2000 total points
ID: 38739373
download AD Info free edition from www.cjwdev.co.uk

it has lots of useful scripts to do exactly what you want, also saves you time scripting
0
 

Author Comment

by:SBelmont2012
ID: 38740057
mo_patel!  THANK YOU
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question