Solved

restore user accounts on sbs 2003

Posted on 2013-10-26
5
562 Views
Last Modified: 2013-12-13
We have a server that was hacked.  I found a user logged in but disconnected.  The user name was zhii.  I was able to login as administrator and discovered that 4 user accounts were deleted.  We discovered in the security event log that user zhii deleted them.


Can I restore the user accounts and only the user accounts from backup?  I dont want to restore any data.  The last successful backup was 2 days prior to this issue occurring.

If so, what do i restore?  C drive and System State?
0
Comment
Question by:rrincones
5 Comments
 
LVL 21

Accepted Solution

by:
dan_blagut earned 500 total points
ID: 39603568
Hi

Do you know how the hacker has penetrated into your server? Did you colmatated the hole? Dis you analyse your server for hiden hole that your hacket could install?
I sugest to restore back at your last backup (system only, no data)
That will allow:
- recover your deleted users
- uninstall all installed security holes
- delete all cached account, service account or any modification that the hacker could did
The you must review yous SBS server security.

Dan
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 39603651
You can try recovering the users if they are in the tombstone period or else System restore is a good option .... but so much needed only if they were having too much Privilege details if not why not simply re-create their accounts

- Rancy
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 39603705
are you talking about domain right?


use the quest tool to restore them, the most easiest way.

http://www.quest.com/object-restore-for-active-directory/

after that, i suggest you to reset your password
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39603793
The article here by Daniel Petri describes several (?all) methods of recovering deleted AD objects in Windows 2003.

Basically the objects (users) will remain in AD in a tombstoned state for 180 days unless the default tombstone period has been altered.  Objects in this stae can be restored trivially using eg. ADRestore.

Otherwise, if the SBS server is the only DC then you can recover the deleted users by restoring the systemstate NTBackup from Directory Services Restore Mode.

If you have additional DCs you will need to recover systemstate and perform authoritative restores of the deleted objects using NTDSutil as described in MS KB 840001
0
 

Author Closing Comment

by:rrincones
ID: 39717555
it was due to a virus. restoring system state resolved the issue with the user accounts
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
Learn about cloud computing and its benefits for small business owners.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now