restore user accounts on sbs 2003

Posted on 2013-10-26
Last Modified: 2013-12-13
We have a server that was hacked.  I found a user logged in but disconnected.  The user name was zhii.  I was able to login as administrator and discovered that 4 user accounts were deleted.  We discovered in the security event log that user zhii deleted them.

Can I restore the user accounts and only the user accounts from backup?  I dont want to restore any data.  The last successful backup was 2 days prior to this issue occurring.

If so, what do i restore?  C drive and System State?
Question by:rrincones
LVL 21

Accepted Solution

dan_blagut earned 500 total points
Comment Utility

Do you know how the hacker has penetrated into your server? Did you colmatated the hole? Dis you analyse your server for hiden hole that your hacket could install?
I sugest to restore back at your last backup (system only, no data)
That will allow:
- recover your deleted users
- uninstall all installed security holes
- delete all cached account, service account or any modification that the hacker could did
The you must review yous SBS server security.

LVL 52

Expert Comment

by:Manpreet SIngh Khatra
Comment Utility
You can try recovering the users if they are in the tombstone period or else System restore is a good option .... but so much needed only if they were having too much Privilege details if not why not simply re-create their accounts

- Rancy
LVL 36

Expert Comment

by:Jian An Lim
Comment Utility
are you talking about domain right?

use the quest tool to restore them, the most easiest way.

after that, i suggest you to reset your password
LVL 14

Expert Comment

Comment Utility
The article here by Daniel Petri describes several (?all) methods of recovering deleted AD objects in Windows 2003.

Basically the objects (users) will remain in AD in a tombstoned state for 180 days unless the default tombstone period has been altered.  Objects in this stae can be restored trivially using eg. ADRestore.

Otherwise, if the SBS server is the only DC then you can recover the deleted users by restoring the systemstate NTBackup from Directory Services Restore Mode.

If you have additional DCs you will need to recover systemstate and perform authoritative restores of the deleted objects using NTDSutil as described in MS KB 840001

Author Closing Comment

Comment Utility
it was due to a virus. restoring system state resolved the issue with the user accounts

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

Citrix XenDesktop, gold image, VMware, vSphere.
Citrix XenDesktop 7.6 Citrix Policies Disable Peripherals
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now