Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 596
  • Last Modified:

restore user accounts on sbs 2003

We have a server that was hacked.  I found a user logged in but disconnected.  The user name was zhii.  I was able to login as administrator and discovered that 4 user accounts were deleted.  We discovered in the security event log that user zhii deleted them.

Can I restore the user accounts and only the user accounts from backup?  I dont want to restore any data.  The last successful backup was 2 days prior to this issue occurring.

If so, what do i restore?  C drive and System State?
1 Solution

Do you know how the hacker has penetrated into your server? Did you colmatated the hole? Dis you analyse your server for hiden hole that your hacket could install?
I sugest to restore back at your last backup (system only, no data)
That will allow:
- recover your deleted users
- uninstall all installed security holes
- delete all cached account, service account or any modification that the hacker could did
The you must review yous SBS server security.

Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
You can try recovering the users if they are in the tombstone period or else System restore is a good option .... but so much needed only if they were having too much Privilege details if not why not simply re-create their accounts

- Rancy
Jian An LimSolutions ArchitectCommented:
are you talking about domain right?

use the quest tool to restore them, the most easiest way.


after that, i suggest you to reset your password
The article here by Daniel Petri describes several (?all) methods of recovering deleted AD objects in Windows 2003.

Basically the objects (users) will remain in AD in a tombstoned state for 180 days unless the default tombstone period has been altered.  Objects in this stae can be restored trivially using eg. ADRestore.

Otherwise, if the SBS server is the only DC then you can recover the deleted users by restoring the systemstate NTBackup from Directory Services Restore Mode.

If you have additional DCs you will need to recover systemstate and perform authoritative restores of the deleted objects using NTDSutil as described in MS KB 840001
rrinconesAuthor Commented:
it was due to a virus. restoring system state resolved the issue with the user accounts

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now