Solved

Active Directory object recovery

Posted on 2013-12-17
8
416 Views
Last Modified: 2013-12-19
I had a question about Active Directory object recovery. I have an AD where two problems arose. The first was after clicking "enable inheritance" on a couple of users. It changed a list of known accounts to unknown. The second is one of the unknown accounts was accidentally removed. Being unknown, I don't know what it was to add it back.

I am somewhat familiar with AD Restore, but not sure if this will work since the changes would have replicated to all of the other DC's in the area. The box where the changes were made was an exchange server with ADUC installed and it would have replicated (from my understanding) to the DC's.

The exchange box is a 2012 server with exchange 2013 on it. The other DC's are 2008R2 I believe.

Can someone point in me the right direction of what I need to do to rollback the changes (if possible)

If more information is needed, I will provide as I can.

Thanks in advanced
0
Comment
Question by:camstutz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39724350
you mentioned 2008 R2...are you in 2008 F2 forest functional level.

The reason I ask is because if you have the AD recycle bin feature enabled that makes recovery much easier.

Do you have a good backup of your system state on the DC?  May need too which is why I'm asking.

Thanks

Mike
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 150 total points
ID: 39724404
As Mike has already asked the question, if you have a 2008 R2 Forest you can recover items with powershell or using ldp.exe.

Below are a couple of links which should be able to assist with your restore process.

Powershell/LDP.exe Restore - http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx

Free AD Restore Tools - (try ADRestore.net) http://social.technet.microsoft.com/wiki/contents/articles/5035.free-ad-objects-recovery-tools.aspx

Will.
0
 

Author Comment

by:camstutz
ID: 39724484
I apologize, we are are in a 2003 forest and domain functional level.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:camstutz
ID: 39724500
I'm sorry for leaving this out in the first post, but the user wasn't deleted, just a security principal/group was removed and how to change the account unknowns back to known (this happened after clicking "enable inheritance" on an already existing user account.

Again, I apologize that it wasn't clear in the first post.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39724503
The Restore Tools should work for you. ADRestore.net is compatible with 2003 Forest/Domain FL.

Will.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 350 total points
ID: 39724525
Once you are done with this fire, consider taking regular AD snapshots, you can search for more info on them   http://blogs.technet.com/b/niraj_kumar/archive/2009/02/05/active-directory-snapshot-new-feature-in-windows-2008.aspx

If you had one you could just mount the snapshot and see what groups the user used to be a part of.  Some folks take daily and/or weekly snapshots.

Thanks

Mike
0
 

Author Comment

by:camstutz
ID: 39730397
Hello Mike and Will.

I apologize for not getting back sooner. After looking into this problem first, I am changing my mind that the known accounts changed to unknown. I looked at the security principals on the OU itself and it had a list of unknown accounts. I think that the user object picked up the "Account Unknown" entries from the OU itself. (after clicking 'enable inheritance').  I am decently certain that an "Account Unknown" entry was one that was accidentally removed.

Additionally, the servers have DPM backups with system state that include Active Directory. Using a method that was suggested, I was able to restore the system state to an alternative directory. I then mounted the vhd and then mounted and browsed the ntds.dit file using ADUC (using change domain controller:port) I did this on a test system.
0
 

Author Closing Comment

by:camstutz
ID: 39730405
I am accepting Mike's solution as it led me to the answer to view. But I am also awarding some points to Will as he introduced me to great software as well.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question