Manually Undeleting Objects in Active Directory

8/6/2019 Manually Undeleting Objects in Active Directory

http://slidepdf.com/reader/full/manually-undeleting-objects-in-active-directory 1/6

Manually Undeleting Objects in Active Directoryby Daniel Petri - January 8, 2009

Printer Friendly Version

Recommend 2437 recommendations. Sign Up to see what yourfriends recommend.

As you probably read in my previous articles – "Recovering Deleted Items in Active Directory" and "Restore Windows Server 2003 Active Directory", an administrator might

sometime need to restore deleted objects from the Active Directory database. You see, when an object is deleted from Active Directory, it is not immediately erased, but is

marked for future deletion. The marker used to designate that an AD object scheduled to be destroyed is called "tombstone". A tombstone is an object whose IsDeletedproperty has be set to True, and it indicates that the object has been deleted but not removed from the directory, much like a deleted file is removed from the file allocation

table but the data is not actually removed from the drive. The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the

garbage collection process removes the objects. The length of time tombstoned objects remain in the directory service before being deleted is either 60 days for Windows

2000/2003 Active Directory, or 180 days for Windows Server 2003 SP1 Active Directory (by default).

There are several methods of reanimating tombstoned objects from the Active Directory. Some are listed on my " Recovering Deleted Items in Active Directory" article.

Another method is to manually recover these items, a process called "Reanimation".

To manually undelete objects in a deleted object's container, follow these steps:

1. Click Start, click Ru n, and then type LDP.exe.

Note: If the LDP.exe utility is not installed, install the support tools from the Windows Server 2003 installation CD, or get them from Windows 2003 SP1 Support Tools.

2. Use the Connection menu in LDP to perform the connect operations and the bind operations to a Windows Server 2003 domain controller. Specify domain

administrator credentials during the bind operation.

3. Click Options > Controls .

ally Undeleting Objects in Active Directory http:/ /www.petri .co.i l/manually-undeleting-objects-windows-activ

7/16/2011



4. In the Load Predefined list, click Return Deleted Objects . Under Control Type, click Server, and the click OK .

5. Click View > Tree. Now type the distinguished name path of the deleted objects container in the domain where the deletion occurred, and then click OK .

Note: The distinguished name path is also known as the DN path. For example, if the deletion occurred in the petri.local domain, the DN path would be the following path:

cn=deleted Objects,dc=petri,dc=local

6. In the left pane of the window, double click the Deleted Object Container.

Note: As a search result of LDAP query, only 1000 objects are returned by default. For example, if more than 1000 objects exist in the Deleted Objects container, not allobjects appear in this container. If your target object does not appear, use NTDSUTIL, and then set the maximum number by using maxpagesize to get the search results,

as described in the following KB article: How to view and set LDAP policy in Active Directory by using Ntdsutil.exe - 315071 7. Double-click the object that you want to

undelete or to reanimate.

8. Right-click the object that you want to reanimate, and then click Modify.

9. Next, change the value for the isDeleted attribute and the DN path in a single Lightweight Directory Access Protocol (LDAP) modify operation.

To configure the Modify dialog, follow these steps:

a. In the Edit Entry Attribute box, type isDeleted. Leave the Value box blank.

b. Click the DELETE option button, and then click Enter to make the first of two entries in the Entry List dialog.


7/16/2011



Impo rtant: Do not click Run at this phase!!!

c. In the Attribute box, type distinguishedName. In the Values box, type the new DN path of the reanimated object. For example, to reanimate the TestUser user

account to the Sales OU, use the following DN path:

cn=TestUser,ou=Sales,dc=petri,dc=local

Note: If you want to reanimate a deleted object to its original container, append the value of the deleted object's lastKnownParent attribute to its CN value, and then paste

the full DN path in the Values box.

d. In the Operation box, click REPLACE. Click ENTER.

e. Click to select the Synchronous check box, and the Extended check box.

f. Click RUN . Note the results pane on the right side showing you that the operation was successful.

10. After you reanimate the objects, click Options > Controls and click the Check Out button to remove (1.2.840.113556.1.4.417) from the Active Controls box list.

Liverpool John Moores MBAMBA in UK at 3Lakhs /Scholarships/

London,Glasgow,Leeds.Manchesterimpeloverseas.com/expert/visa/help

Design Course in 12 mthsDo Graphics & Web Design part-time along

with your BA BCom BSc degreewww.Arena-Multimedia.com

Manage Active DirectoryStreamline Active Directory Management.

Free 30-day Trialwww.systemtools.com


7/16/2011



11. Open Active Directory Users and Computers , and reset the user account passwords, profiles, home directories and group memberships for the deleted users. You

need to do this because when the object was deleted, all the attribute values except SID, ObjectGUID, LastKnownParent and SAMAccountName were stripped.

12. Enable the reanimated account in Active Directory Users and Computers.

Note: The restored object has the same primary SID as it had before the deletion, but the object must be added again to the same security groups to have the same level

of access to resources. The RTM release of Windows Server 2003 does not preserve the sIDHistory attribute on reanimated user accounts, computer accounts, and security

groups, however, Windows Server 2003 with Service Pack 1 does preserve the sIDHistory attribute on deleted objects.

13. If you do not reset the reanimated user account's password you will get an error saying:

Windows cannot enable object TestUser because:

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain.

For organizations using Exchange 2003 you need to remove Microsoft Exchange attributes and reconnect the user to the Exchange mailbox.

In order to do so follow these steps:

In Active Directory Users and Computers, right-click the restored user and select Exchange Tasks.1.

Select Remove Exchange Attributes and click Ok all the way till the end of the wizard.2.

In Exchange System Manager, navigate to the mailbox store containing the recovered user's mailbox. Refresh the Mailboxes node list, and if needed, right-click the

Mailboxes node and select Run Cleanup Agent.

3.


7/16/2011



Note that the deleted user's mailbox is marked with a red X.

Right-click the deleted mailbox, select Reconnect.4.

Type the reanimated user's name. Press Check Names, then click Ok.5.

The mailbox is now reconnected. Wait a couple of minutes or re-run the Recipient Update Service from the Exchange System Manager console.6.

You can automate some or all of these recovery steps by using the following methods:

Write a script that automates the manual recovery steps.

Obtain a non-Microsoft program that supports the reanimation of deleted objects on Windows Server 2003 domain controllers. Read my " Recovering Deleted Items in

Active Directory" article for more info on that.

Related Articles

Changing the Tombstone Lifetime Attribute in Active Directory

Configure a New Global Catalog

How to Install Active Directory on Windows 2003

Windows 2003 Domain Controller Rename

Understanding FSMO Roles in Active Directory

Transferring FSMO Roles

Forcibly Removing Active Directory from a DC

Fix an Unsuccessful DC Demotion

Delete Failed DCs from Active Directory

Determining FSMO Role Holders

Related Articles


7/16/2011



Protect Objects in Windows Server 2003 Active Directory from Accidental Deletion

Secure Active Directory Objects in Windows Server 2008/R2 ADUC

Changing the Tombstone Lifetime Attribute in Active Directory

How to Restore Windows Server 2003 Active Directory

AWS Privacy Policy | Site Info | Contact | Advertise ©2011 Blue Whale Web Inc. |


Manually Undeleting Objects in Active Directory

Documents