restore user accounts on sbs 2003

Posted on 2013-10-26
Medium Priority
Last Modified: 2013-12-13
We have a server that was hacked.  I found a user logged in but disconnected.  The user name was zhii.  I was able to login as administrator and discovered that 4 user accounts were deleted.  We discovered in the security event log that user zhii deleted them.

Can I restore the user accounts and only the user accounts from backup?  I dont want to restore any data.  The last successful backup was 2 days prior to this issue occurring.

If so, what do i restore?  C drive and System State?
Question by:rrincones
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 22

Accepted Solution

dan_blagut earned 2000 total points
ID: 39603568

Do you know how the hacker has penetrated into your server? Did you colmatated the hole? Dis you analyse your server for hiden hole that your hacket could install?
I sugest to restore back at your last backup (system only, no data)
That will allow:
- recover your deleted users
- uninstall all installed security holes
- delete all cached account, service account or any modification that the hacker could did
The you must review yous SBS server security.

LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 39603651
You can try recovering the users if they are in the tombstone period or else System restore is a good option .... but so much needed only if they were having too much Privilege details if not why not simply re-create their accounts

- Rancy
LVL 37

Expert Comment

by:Jian An Lim
ID: 39603705
are you talking about domain right?

use the quest tool to restore them, the most easiest way.


after that, i suggest you to reset your password
LVL 14

Expert Comment

ID: 39603793
The article here by Daniel Petri describes several (?all) methods of recovering deleted AD objects in Windows 2003.

Basically the objects (users) will remain in AD in a tombstoned state for 180 days unless the default tombstone period has been altered.  Objects in this stae can be restored trivially using eg. ADRestore.

Otherwise, if the SBS server is the only DC then you can recover the deleted users by restoring the systemstate NTBackup from Directory Services Restore Mode.

If you have additional DCs you will need to recover systemstate and perform authoritative restores of the deleted objects using NTDSutil as described in MS KB 840001

Author Closing Comment

ID: 39717555
it was due to a virus. restoring system state resolved the issue with the user accounts

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenDesktop 7.6 Citrix Policies Audio
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question