Re-creatin Active Directory User Account

Posted on 2014-08-03
Medium Priority
Last Modified: 2014-08-03
I wonder if deleting AD user account, that had access to resources, then having Second-Thought and recreating the same user account with the same name, whether the new account will have the same access rights just like the one that was deleted ?

Thank you
Question by:jskfan
  • 4
  • 3
LVL 60

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 668 total points
ID: 40237618
It will not. Windows handles permissions internally by a unique identifier called an SID. Each time an account is created, a new SID is generated. Even if you create an account with the same name as an old account, the generated SID will be different and therefore will not match the permissions given to resources.
LVL 38

Assisted Solution

Mahesh earned 1332 total points
ID: 40237657
You need to remap the new account again in all groups as previous account and also need to reacl all permissions set on resources including profiles
To map old account user profile to new identical account you can use Profwiz tool

Author Comment

ID: 40237734
Does Forensit do the remap as well re-ACL permissions ? or just one of them ?

I believe that we can do Authoritative restore with NTDSUTIL, but it I a long way process..
we'll have to use the back up
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

LVL 38

Expert Comment

ID: 40237753
Forensit will do both for existing old user profile on desktop \ laptop

But it cannot translate user data stored on file server in shared folders
You have to do that manually

AD authoritative restore is one option, however you can use AD Restore freeware utility \ Quest Free Utility to recover object without restoring AD system state backup

Note that above utilities will restore original object from AD tombstone with SID and user logon name, however user group membership and most of other attributes will get lost that info you need to configure manually again.

Author Comment

ID: 40237756
There is a feature called AD Recycle Bin..
Won't this be the easiest way ?
LVL 38

Accepted Solution

Mahesh earned 1332 total points
ID: 40237763
You cannot use that feature unless you have 2008 R2 active directory forest and domain functional levels
Also now if you have all of your DCs 2008 R2 and above and if you activated that feature now, it won't recover object for you, it can restore objects with all attributes which are deleted after you activate the feature
The feature is by default disabled on 2008 R2 and above DCs
U need to explicitly enable it.

Author Comment

ID: 40237798
Thanks Mahesh...
That should be a cool feature...
will save Admins a lot of pain

Author Closing Comment

ID: 40237800

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question