Recover a deleted AD Account?

[bcleary79]

If I deleted an AD account this week, is there a way to recover that
deleted account or is it done forever?

Thanks

 

[Paul Bergson]

You can do it via Authoritative Restore.
http://support.microsoft.com/?kbid=840001

You could also try sysinternals undelete
http://www.sysinternals.com/Utilities/AdRestore.html

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Herb Martin]

If I deleted an AD account this week, is there a way to recover that
deleted account or is it done forever?

Not directly.

You can however -- if you wish to go to the trouble, i.e., it's important
enough to you -- recover it through an "Authoritative Restore".

"Authoritative Restore" is partially misnamed however: First you do
a "non-Authoritative" (ordinary restore of the actual data) of System
State, then you use NTDSUtil to mark some portion of the AD as
"authoritative" (before you bring the DC back online and it replicates.)

The procedure is not difficult -- you can mark all of AD or any particular
"subtree" as authoritative on the restored DC, all the way down to a single
user account (etc.)

First thing is you must have a System State backup.

 

[Jorge de Almeida Pinto]

After you delete an object it will become a tombstone in AD within the
deleted objects container. When an object is deleted values from all
attributes from the object will be stripped and removed (except for system
attributes like "objectGUID", "objectSid", "distinguishedName",
"nTSecurityDescriptor" and "uSNChanged" which are preserved on the
tombstone) (On W2K3 SP1 DCs, the "sIDHistory" attribute is also preserved)
The tombstone is preserved for the period of the tombstone lifetime which is
for:
Fresh install of AD with W2K DCs (all SPs): 60 days
Upgrading AD with W2K DCs to W2K3 DCs: 60 days
Upgrading AD with W2K DCs to W2K3 SP1 DCs: 60 days
Fresh install of AD with W2K3 DCs (all SPs): 60 days
Upgrading AD with W2K3 DCs to W2K3 SP1 DCs: 60 days
Fresh install of AD with W2K3 SP1 DCs (all SPs): 180 days

In both W2K and W2K3 AD you can perform an authoritative restore of the
object using a system state backup that still contains the object and is not
older than the period of the tombstone lifetime . Doing it this way will
restore the object and its attributes

Only in W2K3 AD you can reanimate the tombstone to a live object again. Free
third party utilities (sysinternals, quest) exist that do not repopulate the
attribtues and non-free third party utilities (Netpro RestoreADmin and Quest
Recovery Manager) are available that can undelete/reanimate and repopulate
the attributes

 

[Joe Richards [MVP]]

admod can restore the info that was tombstoned if you have a K3 AD.

As Jorge said, that won't bring back all attribs because all attribs are not
maintained in the tombstone process.

http://www.joeware.net/win/free/tools/admod.htm

 

[Jorge de Almeida Pinto]

sorry Joe.. Forgot about your great free tool ADMOD. I know, I know... Shame
on me! ;-))

--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Joe Richards [MVP]]

LOL, don't worry about it.

 

[chriss3 [MVP]]

You can control this in the schema by flip the SearchFlags attribute for a
particular attribute to 0x08 and it will be preserve in the tombstone object
for deleted objects.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services


No email replies please - reply in the newsgroup

 

[Joe Richards [MVP]]

Yes and no, some attributes you can flip all day and they will not be tombstoned
or they may be tombstoned but will not be reanimated. Examples being backlinked
attributes or pwdLastSet, etc.