restore user accounts on sbs 2003

Posted on 2013-10-26
Medium Priority
Last Modified: 2013-12-13
We have a server that was hacked.  I found a user logged in but disconnected.  The user name was zhii.  I was able to login as administrator and discovered that 4 user accounts were deleted.  We discovered in the security event log that user zhii deleted them.

Can I restore the user accounts and only the user accounts from backup?  I dont want to restore any data.  The last successful backup was 2 days prior to this issue occurring.

If so, what do i restore?  C drive and System State?
Question by:rrincones
LVL 22

Accepted Solution

dan_blagut earned 2000 total points
ID: 39603568

Do you know how the hacker has penetrated into your server? Did you colmatated the hole? Dis you analyse your server for hiden hole that your hacket could install?
I sugest to restore back at your last backup (system only, no data)
That will allow:
- recover your deleted users
- uninstall all installed security holes
- delete all cached account, service account or any modification that the hacker could did
The you must review yous SBS server security.

LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 39603651
You can try recovering the users if they are in the tombstone period or else System restore is a good option .... but so much needed only if they were having too much Privilege details if not why not simply re-create their accounts

- Rancy
LVL 38

Expert Comment

by:Jian An Lim
ID: 39603705
are you talking about domain right?

use the quest tool to restore them, the most easiest way.


after that, i suggest you to reset your password
LVL 14

Expert Comment

ID: 39603793
The article here by Daniel Petri describes several (?all) methods of recovering deleted AD objects in Windows 2003.

Basically the objects (users) will remain in AD in a tombstoned state for 180 days unless the default tombstone period has been altered.  Objects in this stae can be restored trivially using eg. ADRestore.

Otherwise, if the SBS server is the only DC then you can recover the deleted users by restoring the systemstate NTBackup from Directory Services Restore Mode.

If you have additional DCs you will need to recover systemstate and perform authoritative restores of the deleted objects using NTDSutil as described in MS KB 840001

Author Closing Comment

ID: 39717555
it was due to a virus. restoring system state resolved the issue with the user accounts

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Let us take a look at the scenario, you have a database that is corrupt and you run the ESEUTIL command only to find you are unable to repair it. How do you now get the data back?
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question