Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 454
  • Last Modified:

Active Directory object recovery

I had a question about Active Directory object recovery. I have an AD where two problems arose. The first was after clicking "enable inheritance" on a couple of users. It changed a list of known accounts to unknown. The second is one of the unknown accounts was accidentally removed. Being unknown, I don't know what it was to add it back.

I am somewhat familiar with AD Restore, but not sure if this will work since the changes would have replicated to all of the other DC's in the area. The box where the changes were made was an exchange server with ADUC installed and it would have replicated (from my understanding) to the DC's.

The exchange box is a 2012 server with exchange 2013 on it. The other DC's are 2008R2 I believe.

Can someone point in me the right direction of what I need to do to rollback the changes (if possible)

If more information is needed, I will provide as I can.

Thanks in advanced
0
camstutz
Asked:
camstutz
  • 4
  • 2
  • 2
2 Solutions
 
Mike KlineCommented:
you mentioned 2008 R2...are you in 2008 F2 forest functional level.

The reason I ask is because if you have the AD recycle bin feature enabled that makes recovery much easier.

Do you have a good backup of your system state on the DC?  May need too which is why I'm asking.

Thanks

Mike
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
As Mike has already asked the question, if you have a 2008 R2 Forest you can recover items with powershell or using ldp.exe.

Below are a couple of links which should be able to assist with your restore process.

Powershell/LDP.exe Restore - http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx

Free AD Restore Tools - (try ADRestore.net) http://social.technet.microsoft.com/wiki/contents/articles/5035.free-ad-objects-recovery-tools.aspx

Will.
0
 
camstutzAuthor Commented:
I apologize, we are are in a 2003 forest and domain functional level.
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
camstutzAuthor Commented:
I'm sorry for leaving this out in the first post, but the user wasn't deleted, just a security principal/group was removed and how to change the account unknowns back to known (this happened after clicking "enable inheritance" on an already existing user account.

Again, I apologize that it wasn't clear in the first post.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
The Restore Tools should work for you. ADRestore.net is compatible with 2003 Forest/Domain FL.

Will.
0
 
Mike KlineCommented:
Once you are done with this fire, consider taking regular AD snapshots, you can search for more info on them   http://blogs.technet.com/b/niraj_kumar/archive/2009/02/05/active-directory-snapshot-new-feature-in-windows-2008.aspx

If you had one you could just mount the snapshot and see what groups the user used to be a part of.  Some folks take daily and/or weekly snapshots.

Thanks

Mike
0
 
camstutzAuthor Commented:
Hello Mike and Will.

I apologize for not getting back sooner. After looking into this problem first, I am changing my mind that the known accounts changed to unknown. I looked at the security principals on the OU itself and it had a list of unknown accounts. I think that the user object picked up the "Account Unknown" entries from the OU itself. (after clicking 'enable inheritance').  I am decently certain that an "Account Unknown" entry was one that was accidentally removed.

Additionally, the servers have DPM backups with system state that include Active Directory. Using a method that was suggested, I was able to restore the system state to an alternative directory. I then mounted the vhd and then mounted and browsed the ntds.dit file using ADUC (using change domain controller:port) I did this on a test system.
0
 
camstutzAuthor Commented:
I am accepting Mike's solution as it led me to the answer to view. But I am also awarding some points to Will as he introduced me to great software as well.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now