Unable to create account in Active Directory

Hi EE

An account was deleted in Active Directory by mistake a few weeks back . The account needs to now be recreated but I am receiving the error below.. any idea how I can correct this ?
error.png
LVL 2
MilesLoganAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
The account might be delete but it seems that there is another account that is using the same sAMAccountName. The sAMAccountName it a domain wide and has to be unique for each user in the domain.

Check to make sure that you are not using the same sAMAccountName as another account in in your AD environment.


Thanks,

Will
0
MilesLoganAuthor Commented:
yes .. definately the same sAMAccountName is not being used on another account.. could the conflict be because I can still see the account when I search for data in the Deleted Objects OU ? how can I remove it from there ?
0
Brian PiercePhotographerCommented:
Have you enabled the AD recycle bin (if not why not?), If so then recover the account from there.

http://www.joetheitguy.com/2013/07/22/the-active-directory-recycle-bin/
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

MilesLoganAuthor Commented:
Hi KCTS ..

I received the error below .. ABC123 is not the actual SamAccountName , I removed it to not have live data on this site.

The error where it states "NAmeOfUser" was the correct user I need to restore .. any ideas ?


PS E:\projects\users> get-adobject -filter 'SamAccountName -like "ABC123"'-IncludeDeletedObjects | Restore-ADObject
Restore-ADObject : Illegal modify operation. Some aspect of the modification is not permitted
At line:1 char:79
+ get-adobject -filter 'SamAccountName -like "ABC123"'-IncludeDeletedObjects | Re ...
+                                                                               ~~
    + CategoryInfo          : InvalidOperation: (CN=NAmeOfUser...ds,DC=MyDomain,DC=org:ADObject) [Restore-ADObject], ADIllegalModifyOperat
   ionException
    + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject
0
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
When an object is deleted from Active Directory, it is not immediately erased, but is marked for future deletion. The marker used to designate that an AD object scheduled to be destroyed is called "tombstone". A tombstone is an object whose IsDeleted property has be set to True, and it indicates that the object has been deleted but not removed from the directory, much like a deleted file is removed from the file allocation table but the data is not actually removed from the drive. The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the garbage collection process removes the objects. The length of time tombstoned objects remain in the directory service before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days for Windows Server 2003 SP1 Active Directory (by default).

Why do you want to create new users account? You can restore the account back so you don't need to go through all the permission etc again.

Following the procedure below to recover deleted Items in AD

http://www.petri.co.il/manually-undeleting-objects-windows-active-directory-ad.htm

Regards
0
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
Also, you can check various method to restore deleted account here

http://www.petri.co.il/recovering-deleted-items-active-directory.htm

Regards
0
becraigCommented:
Import-Module activedirectory
Get-ADObject -Filter {displayName -eq "User Display Name"} -IncludeDeletedObjects | Restore-ADObject

Open in new window

0
MilesLoganAuthor Commented:
Hi bcraig: I receive the same error as above ..

Restore-ADObject : Parameter: 'TargetPath' is required for this operation.
At line:2 char:85
+ ... letedObjects | Restore-ADObject
+                    ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (CN=NAmeOfUser...ds,DC=MyDomain,DC=org:ADObject) [Restore-ADObject], ArgumentException
    + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject
 
Restore-ADObject : Illegal modify operation. Some aspect of the modification is not permitted
At line:2 char:85
+ ... letedObjects | Restore-ADObject
+                    ~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=NAmeOfUser...ds,DC=MyDomain,DC=org:ADObject) [Restore-ADObject], ADIllegalModifyOperat
   ionException
    + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject
0
becraigCommented:
Are you specifying a Target path ?

-TargetPath "ou=sales,dc=corp,dc=contoso,dc=com"

This should be the container the user account is expected to be placed in when the command is run.


See for more details:
http://technet.microsoft.com/en-us/library/ee617262.aspx
0
MilesLoganAuthor Commented:
Hi becraig .. I had not specified the path .. but I just tried with it and I received the error below.

In the error it does show the Name of the person on the account I want to restore .. Any ideas ?

PS E:\projects\users> Import-Module activedirectory
Get-ADObject -Filter {SamAccountName -eq "x12345"} -IncludeDeletedObjects | Restore-ADObject -TargetPath "Sacramento,DC=MyDomain,DC=org"
Restore-ADObject : Illegal modify operation. Some aspect of the modification is not permitted
At line:2 char:78
+ Get-ADObject -Filter {SamAccountName -eq "x12345"} -IncludeDeletedObjects | Res ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=CorrectName...Sacramento,DC=MyDomain,DC=org:ADObject) [Restore-ADObject], ADIllegalModifyOperat
   ionException
    + FullyQualifiedErrorId : 0,Microsoft.ActiveDirectory.Management.Commands.RestoreADObject
0
becraigCommented:
Have you verified if you get any output from
+ Get-ADObject -Filter {SamAccountName -eq "x12345"} -IncludeDeletedObjects

We need to verify you can actually find the object first.
0
MilesLoganAuthor Commented:
Hi .. yes I can see it ..

Get-ADObject -Filter {SamAccountName -eq "x12345"} -IncludeDeletedObjects

Returns:
Deleted           : True
DistinguishedName : CN=Name\0ADEL:c3ee1d96-f8c8-4a36-8658-2450e704da13,CN=Deleted Objects,MyDomain,DC=org
Name              : Correct Name
                       DEL:c3ee1d96-f8c8-4a36-8658-2450e704da13
ObjectClass       : user
ObjectGUID        : c3ee1d96-f8c8-4a36-8658-2450e704da13
0
becraigCommented:
So here so a example of just using the restore command:

Restore-ADObject -Identity "CN=Name\0ADEL:c3ee1d96-f8c8-4a36-8658-2450e704da13,CN=Deleted Objects,MyDomain,DC=org" -NewName "User Name" -TargetPath "OU=CorrectUserOU,OU=UserAccounts,DC=FABRIKAM,DC=COM"


or

Restore-ADObject -Identity "c3ee1d96-f8c8-4a36-8658-2450e704da13" -NewName "User Name" -TargetPath  "OU=CorrectUserOU,OU=UserAccounts,DC=FABRIKAM,DC=COM"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MilesLoganAuthor Commented:
Awesome, that worked...  thanks becraig !
0
NorthernTel & Telebec Managed ServicesManaged I.T. SupportCommented:
I worked hard on understanding this one. You need to carefully look at what the deleted item's fields contain.
I put an entry on my blog explaining it.
http://www.chrisleblanc.org/restoring-deleted-ad-object-avoiding-common-error/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.