They do have an undelete
option... It is in Windows Server 2003 AD. Don't expect it to be back ported to
Windows 2000 AD as that OS is now over 5 years old and the newer version is a
couple of years old.
You can actually use admod as well as other tools to
undelete things in Windows Server 2003 AD, the issue comes down to how much data
actually gets pulled back. This is controlled by the schema and you can set some
additional items to be returned when the object is returned from the deleted
objects container. Note some things you can and can't return regardless of
settings.
Ex:
<Command line snippets>
[Thu 02/17/2005
8:21:28.40]
F:\temp>makeu DelTest
Microsoft (R) Windows Script Host
Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights
reserved.
Completed.
[Thu 02/17/2005
8:21:36.28]
F:\temp>adfind -default -f name=deltest
-dsq
"CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com"
[Thu
02/17/2005 8:22:10.34]
F:\temp>adfind -default -f name=deltest -dsq
|admod -rm
AdMod V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) July
2004
DN Count: 1
Using server: 2k3dc01.joe.com
Deleting specified
objects...
DN:
cn=deltest,ou=tmptestou,ou=joeware2,ou=exchange,dc=joe,dc=com...
The
command completed successfully
[Thu 02/17/2005
8:22:18.99]
F:\temp>adfind -default -f name=deltest -dsq
[Thu
02/17/2005 8:22:45.21]
F:\temp>adfind -default -f name=deltest -dsq
-showdel
[Thu 02/17/2005 8:22:51.88]
F:\temp>adfind
-default -f name=deltest* -dsq
-showdel
"CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted
Objects,DC=joe,DC=com"
[Thu 02/17/2005
8:22:57.68]
F:\temp>adfind -default -f name=deltest* -dsq -showdel |admod
-undel
AdMod V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) July
2004
DN Count: 1
Using server: 2k3dc01.joe.com
Undeleting specified
objects...
DN:
cn=deltest\0adel:2b2b6bc9-c4cc-49af-886a-df1b504ae919,cn=deleted
objects,dc=joe,dc=com...
The command completed
successfully
[Thu 02/17/2005 8:23:09.15]
F:\temp>adfind
-default -f name=deltest
-dsq
"CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com"
[Thu
02/17/2005 8:23:43.97]
F:\temp>adfind -default -f
name=deltest
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February
2005
Using server: 2k3dc01.joe.com
Directory: Windows Server
2003
Base DN:
DC=joe,DC=com
dn:CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
>objectClass:
top
>objectClass: person
>objectClass:
organizationalPerson
>objectClass: user
>cn:
deltest
>distinguishedName:
CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
>instanceType:
4
>whenCreated: 20050217132136.0Z
>whenChanged:
20050217132309.0Z
>uSNCreated: 1458430
>uSNChanged:
1458455
>name: deltest
>objectGUID:
{2B2B6BC9-C4CC-49AF-886A-DF1B504AE919}
>userAccountControl:
546
>badPwdCount: 0
>codePage: 0
>countryCode:
0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon:
0
>pwdLastSet: 0
>primaryGroupID: 513
>operatorCount:
0
>objectSid:
S-1-5-21-1862701446-4008382571-2198042679-8347
>adminCount:
0
>accountExpires: 0
>logonCount: 0
>sAMAccountName:
DelTest
>sAMAccountType: 805306368
>lastKnownParent:
OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
>objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
>dSCorePropagationData:
20050217132309.0Z
>dSCorePropagationData:
20050217132309.0Z
>dSCorePropagationData:
20050217132309.0Z
>dSCorePropagationData:
20050217132219.0Z
>dSCorePropagationData: 16010108151056.0Z
1
Objects returned
[Thu 02/17/2005
8:23:51.97]
F:\temp>
<Tracking log
Snippet>
-------------------------------------------------
Creates
between Thu Feb 17 08:24:57 2005 - Thu Feb 17 08:25:08 2005
Initial
Settings
CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
cn : DelTest
distinguishedName :
CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
instanceType : 4
name
: DelTest
objectCategory :
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass :
top#person#organizationalPerson#user
objectGUID :
{2B2B6BC9-C4CC-49AF-886A-DF1B504AE919}
objectSid :
S-1-5-21-1862701446-4008382571-2198042679-8347
primaryGroupID : 513
sAMAccountName :
DelTest
sAMAccountType
: 805306368
uSNChanged
: 1458431
uSNCreated :
1458430
userAccountControl :
546
whenChanged :
20050217132136.0Z
whenCreated :
20050217132136.0Z
-------------------------------------------------
-------------------------------------------------
Updates
between Thu Feb 17 08:25:42 2005 - Thu Feb 17 08:25:54 2005
UPDATE:
CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted
Objects,DC=joe,DC=com
<GUID=c96b2b2bccc4af49886adf1b504ae919>
UPD cn: (DelTest)
-> (DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919)
ADD
dSCorePropagationData:
(20050217132219.0Z#20050217132219.0Z#20050217132218.0Z#16010108151056.0Z)
UPD distinguishedName:
(CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com) ->
(CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted
Objects,DC=joe,DC=com)
ADD isDeleted: (TRUE)
UPD
name: (DelTest) ->
(DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919)
UPD
uSNChanged: (1458431) -> (1458442)
UPD whenChanged:
(20050217132136.0Z) -> (20050217132218.0Z)
DEL
objectCategory:
(CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
DEL
primaryGroupID: (513)
DEL sAMAccountType:
(805306368)
-------------------------------------------------
-------------------------------------------------
Updates
between Thu Feb 17 08:26:29 2005 - Thu Feb 17 08:26:40 2005
UPDATE:
CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
<GUID=c96b2b2bccc4af49886adf1b504ae919>
UPD cn:
(DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919) ->
(deltest)
UPD dSCorePropagationData:
(20050217132219.0Z#20050217132219.0Z#20050217132218.0Z#16010108151056.0Z) ->
(20050217132309.0Z#20050217132309.0Z#20050217132309.0Z#20050217132219.0Z#16010108151056.0Z)
UPD distinguishedName:
(CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted
Objects,DC=joe,DC=com) ->
(CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com)
UPD name: (DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919) ->
(deltest)
ADD objectCategory:
(CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
ADD
primaryGroupID: (513)
ADD sAMAccountType:
(805306368)
UPD uSNChanged: (1458442) ->
(1458455)
UPD whenChanged: (20050217132218.0Z) ->
(20050217132309.0Z)
DEL isDeleted:
(TRUE)
-------------------------------------------------
On
the mouse slips and such... This is one *more* reason NOT to use the GUI. Or at
least to use it with an ID that has the power to make mass updates. While you
can make mistakes with command line as well, at least you can look at the
command line multiple times prior to doing anything. One really good solution is
to force all work through scripts or some proxy that can apply logic to what you
are doing, for instance if you tell it to delete 100 users it comes back and
says, are you really sure? And then it doesn't really delete them even if you
say you are sure, it simply renames them and/or disables them and tucks them
away for a couple of days to make sure you weren't on a drunken or drug induced
craze or something.
The people with the power in your directory should be
people who it would be extremely odd to ever make a mistake there, not someone
who says anyone can make a mistake. If you are standing in a crowd say as a
soldier to help calm the group down or a as a police officer with a gun and it
goes off and you kill 4 people, the response of anyone can make a mistake won't
cut it. You put special people in that position that you are confident won't
make that mistake. Then if you can, you add things to make it even more unlikely
it will occur like with a gun you have a safety and a ton of protocol training
so there aren't just reaction, there are calculate reactions.
I admin'ed
a large forest (~250,000 users) for a long time and we didn't have mistakes like
this of any real consequence. Groups could only be created/deleted by four
people (1 manager and 3 analysts) although their group membership could be
managed by any number of people. All told we had several thousand people who
could manage various groups around the world. The three people who did the
actual work didn't even do it through GUI or other native tools; they used
scripts that had business logic and verified the input and processed the
requests carefully. The next step was to throw that process on a web site and
the three people wouldn't even be involved, the person who needed the group
would connect to the website and do the work and they wouldn't be allowed to
make mistakes that were permanent. This also went for server computer accounts.
Workstation computer accounts we allowed lower level admins to work with, but
then deleting a workstation account isn't in the same ball park with a deleted
server or group or user object. Basically the gun we gave the lower level admins
was a paint gun and we put goggles on them so any pain should be small and
temporary. Though with concerted effort they could have still hurt themselves by
deleting lots of machine accounts. However it was there pain as they would be
putting them all back manually.
I am not trying to be harsh here, only
realistic. In the next couple of paragraphs, you is the generic you of anyone
reading this, not any specific person you.
If you are opening up the GUI
or in fact doing anything in AD with a high powered ID and you don't have some
fear and trepidation you need to close out what you are doing and go away until
you do. That little bit of fear or concern keeps you on your toes and makes you
realize you can really hurt something. You should never be "comfortable"
wandering around in the GUI with an admin ID. You show me someone who kicks
around in the GUI of a production environment with an admin ID like it is no big
cheese and I will show you someone who won't be an admin in an environment I
have a say over. Moving around quickly in a GUI is not something to be impressed
by.
The group I previously described had a turnover of 3 new people over
the course of about 3 years (one position replaced twice, another position
replaced once). Not a single one of those new people got an admin ID for at
least 3 months and it wasn't until the rest of the admins had a feeling that the
new admin had the proper level of fear and respect for the directory as well as
understood the specific environment as well as Active Directory. Even if Don H.
himself walked into our environment he would not gotten an Admin ID or access to
an Admin ID in less than three months and that only if he was on our team, not
there as an MS person. He may know AD, but he doesn't know how it was used there
and didn't understand the environment. A mistake in that directory could
literally put an entire Fortune 10 company down for the count or at least one of
its many divisions. A mistake at our admin level most likely wasn't going to be
able to successfully be responded to with anyone can make a mistake. It would
probably result in someone looking for a new job.
When I go in and look
at some company's AD, I specifically ask for an ID that has no ability to modify
things, I simply want to see. I don't want to have any possibility of changing
anything except my password. Normally user and Exchange view is all I need to do
my job. It scares me how fast some companies will give people admin rights when
someone walks through the door. I have several MCS friends who got quite chapped
with me beating on them for several years when they were in the environment I
controlled because they had normal user access and that was about it. They need
replication metadata in 2K, do they get an admin ID? Nope, I set up a perl cgi
script and they hit a website that got the data for them. No reason was ever
good enough for them to have admin rights. At best they could sit next to
someone with those rights. Anyway, they were always quite pissy about that. Then
after a couple of years of daily onsite work and dealing with me they finished
their work with us and went to other places. They actually had fear for how much
power they were given when they walked in the door (here you go, you must know
AD, have enterprise admin!) and realized how safe my environment was compared to
the others they work with now. If a company gives out access that quickly...
They don't really have change control no matter how much they want to think so
and how many processes they have around it.
Basically you as an admin
need to sit down and look at the points where you have dangerous processes and
you make them as non-dangerous as possible. Generically, if you have any
processes where you manually update the directory with an ID that has add/delete
capabilities and you are using the GUI, you have a dangerous process that needs
to be reworked. You can't rework them all in an instant so you take time, maybe
even months or years going through and fixing those processes. Do it in baby
steps, first scripts, then automated systems. Focus on the things that you do a
lot first and then go to the things you do less. If you can't script, learn. You
aren't an admin if you can't script, you are a button pusher that can and
possibly should be replaced. If you have admins logging into their workstations
with their admin IDs, smack them. If they are logging into servers (real server
not TS) to do work that can be done remotely from the workstations, smack them.
If they use IE/OE on a server (real server not a TS), smack them. If they have
someone come to them and complain about an ID that runs a service and it is a
pain to change the password so the first thing they think of is to set the ID to
be non-expiring, smack them and then fire them.
joe
-----Original Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aramide Adebanjo
Sent: Thursday, February 17,
2005 3:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
HELP!!! Undelete required
Hi guys,
I have resolved the issue..it
could have been worse however but the group deleted was a distribution group.
The painful fact was that it wasone that had 700 member users and I did not know
howi could repopulate that fast. However I had done a csvde export just the day
beforeand I ran iquery to get all users with the required attribute.
Simply
put, I recreated the distribution group again. I just pasted all the members
into a text file with all usenames seperated by a semicolon and then pasted them
all into the new group. The names were all resolved.
My fear is this;
what if it was a user or a security group that was mistakenly deleted.
Micorsosft shld have a solution that enables u undelete..like a Cntrl Z.mistakes
can be made by anyone...a mouse slip etc...no one is perfect.
Thx
all...
A restore is one option I don't ever want to take in a production
environment.!!
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Wednesday, February 16, 2005 9:32
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] HELP!!!
Undelete required
Heh, I actually typoed that response. It should
have been
> If you had K3 you would have at
> least 2 options,
one painful, one really painful. Here you only have
> the really painful
answer.
The really painful answer is obviously recovery from a
backup. I have never really done this in production and I have no intention of
ever doing it.
It
scares me. If something was deleted, I have faith that
the person who deleted something is someone who could be trusted to have made
that decision. If they made a bad decision, the trust was misplaced. This is yet
another reason to not let people have native rights in the directory like
that.
The painful answer is to recover the object from the deleted
objects container. Depending on the type of object and the schema mods made you
will have various levels of frustration with this because not everything comes
back the way you want. By default, very little comes back. However, I much
prefer this solution to recovering from backup. This is something I would
actually do.
joe
-----Original
Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Hunter, Laura E.
Sent: Wednesday, February 16,
2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
HELP!!! Undelete required
Joe,
Out of curiousity, what do you
define as the "painful" versus "really painful" option in 2K3? Now I'm
curious. :-)
Laura
> -----Original Message-----
>
From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Aramide
> Adebanjo
> Sent: Wednesday,
February 16, 2005 1:54 PM
> To: ActiveDir@mail.activedir.org
>
Subject: RE: [ActiveDir] HELP!!! Undelete required
>
>
Ahhhhh!!!!
>
> I need a miracle.....a technical
miracle.....
>
> -----Original Message-----
> From:
[EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of joe
> Sent: Wednesday, February 16, 2005 7:36
PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir]
HELP!!! Undelete required
>
>
> You aren't going to like the
answer... If you had K3 you would have at
> least 2 options, one
painful, one really painful. Here you only have
> the painful
answer.
>
>
> joe
>
>
-----Original Message-----
> From:
[EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Aramide
> Adebanjo
> Sent: Wednesday,
February 16, 2005 1:27 PM
> To: ActiveDir@mail.activedir.org
>
Subject: [ActiveDir] HELP!!! Undelete required
>
> Hi
guys,
>
> What is the fastest way of recovering a group object
deleted in AD
> 2000?? The changes have been replicated to all other
DCs
>
> I want something precise, nothing fanciful, something tested
and
> proved working...pls don't let it involve restoring from system
state
> backups, that's an option I don't want to
follow...
>
> There should be a way......
> List
info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
- RE: [ActiveDir] HELP!!! Undelete required joe
- RE: [ActiveDir] HELP!!! Undelete required James_Day
- RE: [ActiveDir] HELP!!! Undelete required Ruston, Neil
- RE: [ActiveDir] HELP!!! Undelete required Grillenmeier, Guido
- RE: [ActiveDir] HELP!!! Undelete required Suheyla Ikiz
- RE: [ActiveDir] HELP!!! Undelete required Jorge de Almeida Pinto