If you ever do what I did... this article might save your job. I accidentially deleted four users in the domain... thought I was deleting them from a group. LOSER!!! Regardless... this will help you find the deleted users and re-enable them.
1. Click Start, click Run, and then type ldp.exe. If the Ldp utility is not installed, install the support tools from the Windows Server 2003 installation CD.
2. Use the Connection menu in Ldp to perform the connect operations and the bind operations to a Windows Server 2003 domain controller. Specify domain administrator credentials during the bind operation.
3. On the Options menu, click Controls.
4. In the Load Predefined list, click Return Deleted Objects. The 1.2.840.113556.1.4.417 control moves to the Active Controls window.
5. Under Control Type, click Server, and the click OK.
6. On the View menu, click Tree, type the distinguished name path of the deleted objects container in the domain where the deletion occurred, and then click OK. The distinguished name path is also known as the DN path. For example, if the deletion occurred in the contoso.com domain, the DN path would be the following path: cn=deleted Objects,dc=contoso,dc=com
7. In the left pane of the window, double click the Deleted Object Container.
As a search result of Idap query, only 1000 objects are returned by default. Fot example, if more than 1000 objects exist in the Deleted Objects container, not all objects appear in this container. If your target object does not appear, use ntdsutil, and then set the maximum number by using maxpagesize to get the search results .
8. Double-click the object that you want to undelete or to reanimate.
9. Right-click the object that you want to reanimate, and then click Modify.
Change the value for the isDeleted attribute and the DN path in a single Lightweight Directory Access Protocol (LDAP) modify operation. To configure the Modify dialog, follow these steps:
a. In the Edit Entry Attribute box, type isDeleted. Leave the Value box blank.
b. Click the Delete option button, and then click Enter to make the first of two entries in the Entry List dialog. Important Do not click Run.
c. In the Attribute box, type distinguishedName.
d. In the Values box, type the new DN path of the reanimated object.
For example, to reanimate the JohnDoe user account to the Mayberry OU, use the following DN path:
cn=JohnDoe,ou=Mayberry,dc=contoso,dc=com
Note If you want to reanimate a deleted object to its original container, append the value of the deleted object's lastKnownParent attribute to its CN value, and then paste the full DN path in the Values box.
e. In the Operation box, click REPLACE.
f. Click ENTER.
g. Click to select the Synchronous check box.
h. Click to select the Extended check box.
i. Click RUN.
10. After you reanimate the objects, click Controls on the Options menu, click the Check Out button to remove (1.2.840.113556.1.4.417) from the Active Controls box list.
11. Reset user account passwords, profiles, home directories and group memberships for the deleted users.
When the object was deleted, all the attribute values except SID, ObjectGUID, LastKnownParent and SAMAccountName were stripped.
12. Enable the reanimated account in Active Directory Users and Computers.
Note The reanimated object has the same primary SID as it had before the deletion, but the object must be added again to the same security groups to have the same level of access to resources. The first release of Windows Server 2003 does not preserve the sIDHistory attribute on reanimated user accounts, computer accounts, and security groups. Windows Server 2003 with Service Pack 1 does preserve the sIDHistory attribute on deleted objects.
13. Remove Microsoft Exchange attributes and reconnect the user to the Exchange mailbox.
The reanimation of deleted objects is supported when the deletion occurs on a Windows Server 2003 domain controller. The reanimation of deleted objects is not supported when the deletion occurs on a Windows 2000 domain controller that is subsequently upgraded to Windows Server 2003.
If the deletion occurs on a Windows 2000 domain controller in the domain, the lastParentOf attribute is not populated on Windows Server 2003 domain controllers.
No comments:
Post a Comment