From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, February 17, 2005 3:05 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] HELP!!! Undelete required
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 17 February 2005 14:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] HELP!!! Undelete requiredThey do have an undelete option... It is in Windows Server 2003 AD. Don't expect it to be back ported to Windows 2000 AD as that OS is now over 5 years old and the newer version is a couple of years old.
You can actually use admod as well as other tools to undelete things in Windows Server 2003 AD, the issue comes down to how much data actually gets pulled back. This is controlled by the schema and you can set some additional items to be returned when the object is returned from the deleted objects container. Note some things you can and can't return regardless of settings.
Ex:
<Command line snippets>
[Thu 02/17/2005 8:21:28.40]
F:\temp>makeu DelTest
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Completed.
[Thu 02/17/2005 8:21:36.28]
F:\temp>adfind -default -f name=deltest -dsq
"CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com"
[Thu 02/17/2005 8:22:10.34]
F:\temp>adfind -default -f name=deltest -dsq |admod -rm
AdMod V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004
DN Count: 1
Using server: 2k3dc01.joe.com
Deleting specified objects...
DN: cn=deltest,ou=tmptestou,ou=joeware2,ou=exchange,dc=joe,dc=com...
The command completed successfully
[Thu 02/17/2005 8:22:18.99]
F:\temp>adfind -default -f name=deltest -dsq
[Thu 02/17/2005 8:22:45.21]
F:\temp>adfind -default -f name=deltest -dsq -showdel
[Thu 02/17/2005 8:22:51.88]
F:\temp>adfind -default -f name=deltest* -dsq -showdel
"CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted Objects,DC=joe,DC=com"
[Thu 02/17/2005 8:22:57.68]
F:\temp>adfind -default -f name=deltest* -dsq -showdel |admod -undel
AdMod V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) July 2004
DN Count: 1
Using server: 2k3dc01.joe.com
Undeleting specified objects...
DN: cn=deltest\0adel:2b2b6bc9-c4cc-49af-886a-df1b504ae919,cn=deleted objects,dc=joe,dc=com...
The command completed successfully
[Thu 02/17/2005 8:23:09.15]
F:\temp>adfind -default -f name=deltest -dsq
"CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com"
[Thu 02/17/2005 8:23:43.97]
F:\temp>adfind -default -f name=deltest
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>cn: deltest
>distinguishedName: CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20050217132136.0Z
>whenChanged: 20050217132309.0Z
>uSNCreated: 1458430
>uSNChanged: 1458455
>name: deltest
>objectGUID: {2B2B6BC9-C4CC-49AF-886A-DF1B504AE919}
>userAccountControl: 546
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 0
>pwdLastSet: 0
>primaryGroupID: 513
>operatorCount: 0
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-8347
>adminCount: 0
>accountExpires: 0
>logonCount: 0
>sAMAccountName: DelTest
>sAMAccountType: 805306368
>lastKnownParent: OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
>dSCorePropagationData: 20050217132309.0Z
>dSCorePropagationData: 20050217132309.0Z
>dSCorePropagationData: 20050217132309.0Z
>dSCorePropagationData: 20050217132219.0Z
>dSCorePropagationData: 16010108151056.0Z
1 Objects returned
[Thu 02/17/2005 8:23:51.97]
F:\temp>
<Tracking log Snippet>
-------------------------------------------------
Creates between Thu Feb 17 08:24:57 2005 - Thu Feb 17 08:25:08 2005
Initial Settings
CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
cn : DelTest
distinguishedName : CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
instanceType : 4
name : DelTest
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass : top#person#organizationalPerson#user
objectGUID : {2B2B6BC9-C4CC-49AF-886A-DF1B504AE919}
objectSid : S-1-5-21-1862701446-4008382571-2198042679-8347
primaryGroupID : 513
sAMAccountName : DelTest
sAMAccountType : 805306368
uSNChanged : 1458431
uSNCreated : 1458430
userAccountControl : 546
whenChanged : 20050217132136.0Z
whenCreated : 20050217132136.0Z
-------------------------------------------------
-------------------------------------------------
Updates between Thu Feb 17 08:25:42 2005 - Thu Feb 17 08:25:54 2005
UPDATE: CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted Objects,DC=joe,DC=com <GUID=c96b2b2bccc4af49886adf1b504ae919>
UPD cn: (DelTest) -> (DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919)
ADD dSCorePropagationData: (20050217132219.0Z#20050217132219.0Z#20050217132218.0Z#16010108151056.0Z)
UPD distinguishedName: (CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com) -> (CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted Objects,DC=joe,DC=com)
ADD isDeleted: (TRUE)
UPD name: (DelTest) -> (DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919)
UPD uSNChanged: (1458431) -> (1458442)
UPD whenChanged: (20050217132136.0Z) -> (20050217132218.0Z)
DEL objectCategory: (CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
DEL primaryGroupID: (513)
DEL sAMAccountType: (805306368)
-------------------------------------------------
-------------------------------------------------
Updates between Thu Feb 17 08:26:29 2005 - Thu Feb 17 08:26:40 2005
UPDATE: CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com <GUID=c96b2b2bccc4af49886adf1b504ae919>
UPD cn: (DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919) -> (deltest)
UPD dSCorePropagationData: (20050217132219.0Z#20050217132219.0Z#20050217132218.0Z#16010108151056.0Z) -> (20050217132309.0Z#20050217132309.0Z#20050217132309.0Z#20050217132219.0Z#16010108151056.0Z)
UPD distinguishedName: (CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted Objects,DC=joe,DC=com) -> (CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com)
UPD name: (DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919) -> (deltest)
ADD objectCategory: (CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com)
ADD primaryGroupID: (513)
ADD sAMAccountType: (805306368)
UPD uSNChanged: (1458442) -> (1458455)
UPD whenChanged: (20050217132218.0Z) -> (20050217132309.0Z)
DEL isDeleted: (TRUE)
-------------------------------------------------
On the mouse slips and such... This is one *more* reason NOT to use the GUI. Or at least to use it with an ID that has the power to make mass updates. While you can make mistakes with command line as well, at least you can look at the command line multiple times prior to doing anything. One really good solution is to force all work through scripts or some proxy that can apply logic to what you are doing, for instance if you tell it to delete 100 users it comes back and says, are you really sure? And then it doesn't really delete them even if you say you are sure, it simply renames them and/or disables them and tucks them away for a couple of days to make sure you weren't on a drunken or drug induced craze or something.
The people with the power in your directory should be people who it would be extremely odd to ever make a mistake there, not someone who says anyone can make a mistake. If you are standing in a crowd say as a soldier to help calm the group down or a as a police officer with a gun and it goes off and you kill 4 people, the response of anyone can make a mistake won't cut it. You put special people in that position that you are confident won't make that mistake. Then if you can, you add things to make it even more unlikely it will occur like with a gun you have a safety and a ton of protocol training so there aren't just reaction, there are calculate reactions.
I admin'ed a large forest (~250,000 users) for a long time and we didn't have mistakes like this of any real consequence. Groups could only be created/deleted by four people (1 manager and 3 analysts) although their group membership could be managed by any number of people. All told we had several thousand people who could manage various groups around the world. The three people who did the actual work didn't even do it through GUI or other native tools; they used scripts that had business logic and verified the input and processed the requests carefully. The next step was to throw that process on a web site and the three people wouldn't even be involved, the person who needed the group would connect to the website and do the work and they wouldn't be allowed to make mistakes that were permanent. This also went for server computer accounts. Workstation computer accounts we allowed lower level admins to work with, but then deleting a workstation account isn't in the same ball park with a deleted server or group or user object. Basically the gun we gave the lower level admins was a paint gun and we put goggles on them so any pain should be small and temporary. Though with concerted effort they could have still hurt themselves by deleting lots of machine accounts. However it was there pain as they would be putting them all back manually.
I am not trying to be harsh here, only realistic. In the next couple of paragraphs, you is the generic you of anyone reading this, not any specific person you.
If you are opening up the GUI or in fact doing anything in AD with a high powered ID and you don't have some fear and trepidation you need to close out what you are doing and go away until you do. That little bit of fear or concern keeps you on your toes and makes you realize you can really hurt something. You should never be "comfortable" wandering around in the GUI with an admin ID. You show me someone who kicks around in the GUI of a production environment with an admin ID like it is no big cheese and I will show you someone who won't be an admin in an environment I have a say over. Moving around quickly in a GUI is not something to be impressed by.
The group I previously described had a turnover of 3 new people over the course of about 3 years (one position replaced twice, another position replaced once). Not a single one of those new people got an admin ID for at least 3 months and it wasn't until the rest of the admins had a feeling that the new admin had the proper level of fear and respect for the directory as well as understood the specific environment as well as Active Directory. Even if Don H. himself walked into our environment he would not gotten an Admin ID or access to an Admin ID in less than three months and that only if he was on our team, not there as an MS person. He may know AD, but he doesn't know how it was used there and didn't understand the environment. A mistake in that directory could literally put an entire Fortune 10 company down for the count or at least one of its many divisions. A mistake at our admin level most likely wasn't going to be able to successfully be responded to with anyone can make a mistake. It would probably result in someone looking for a new job.
When I go in and look at some company's AD, I specifically ask for an ID that has no ability to modify things, I simply want to see. I don't want to have any possibility of changing anything except my password. Normally user and Exchange view is all I need to do my job. It scares me how fast some companies will give people admin rights when someone walks through the door. I have several MCS friends who got quite chapped with me beating on them for several years when they were in the environment I controlled because they had normal user access and that was about it. They need replication metadata in 2K, do they get an admin ID? Nope, I set up a perl cgi script and they hit a website that got the data for them. No reason was ever good enough for them to have admin rights. At best they could sit next to someone with those rights. Anyway, they were always quite pissy about that. Then after a couple of years of daily onsite work and dealing with me they finished their work with us and went to other places. They actually had fear for how much power they were given when they walked in the door (here you go, you must know AD, have enterprise admin!) and realized how safe my environment was compared to the others they work with now. If a company gives out access that quickly... They don't really have change control no matter how much they want to think so and how many processes they have around it.
Basically you as an admin need to sit down and look at the points where you have dangerous processes and you make them as non-dangerous as possible. Generically, if you have any processes where you manually update the directory with an ID that has add/delete capabilities and you are using the GUI, you have a dangerous process that needs to be reworked. You can't rework them all in an instant so you take time, maybe even months or years going through and fixing those processes. Do it in baby steps, first scripts, then automated systems. Focus on the things that you do a lot first and then go to the things you do less. If you can't script, learn. You aren't an admin if you can't script, you are a button pusher that can and possibly should be replaced. If you have admins logging into their workstations with their admin IDs, smack them. If they are logging into servers (real server not TS) to do work that can be done remotely from the workstations, smack them. If they use IE/OE on a server (real server not a TS), smack them. If they have someone come to them and complain about an ID that runs a service and it is a pain to change the password so the first thing they think of is to set the ID to be non-expiring, smack them and then fire them.
joe
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aramide Adebanjo
Sent: Thursday, February 17, 2005 3:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] HELP!!! Undelete required
Hi guys,
I have resolved the issue..it could have been worse however but the group deleted was a distribution group. The painful fact was that it wasone that had 700 member users and I did not know howi could repopulate that fast. However I had done a csvde export just the day beforeand I ran iquery to get all users with the required attribute.
Simply put, I recreated the distribution group again. I just pasted all the members into a text file with all usenames seperated by a semicolon and then pasted them all into the new group. The names were all resolved.
My fear is this; what if it was a user or a security group that was mistakenly deleted. Micorsosft shld have a solution that enables u undelete..like a Cntrl Z.mistakes can be made by anyone...a mouse slip etc...no one is perfect.
Thx all...
A restore is one option I don't ever want to take in a production environment.!!
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Wednesday, February 16, 2005 9:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] HELP!!! Undelete required
Heh, I actually typoed that response. It should have been
> If you had K3 you would have at
> least 2 options, one painful, one really painful. Here you only have
> the really painful answer.
The really painful answer is obviously recovery from a backup. I have never really done this in production and I have no intention of ever doing it.
It
scares me. If something was deleted, I have faith that the person who deleted something is someone who could be trusted to have made that decision. If they made a bad decision, the trust was misplaced. This is yet another reason to not let people have native rights in the directory like that.
The painful answer is to recover the object from the deleted objects container. Depending on the type of object and the schema mods made you will have various levels of frustration with this because not everything comes back the way you want. By default, very little comes back. However, I much prefer this solution to recovering from backup. This is something I would actually do.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Hunter, Laura E.
Sent: Wednesday, February 16, 2005 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] HELP!!! Undelete required
Joe,
Out of curiousity, what do you define as the "painful" versus "really painful" option in 2K3? Now I'm curious. :-)
Laura
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Aramide
> Adebanjo
> Sent: Wednesday, February 16, 2005 1:54 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] HELP!!! Undelete required
>
> Ahhhhh!!!!
>
> I need a miracle.....a technical miracle.....
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of joe
> Sent: Wednesday, February 16, 2005 7:36 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] HELP!!! Undelete required
>
>
> You aren't going to like the answer... If you had K3 you would have at
> least 2 options, one painful, one really painful. Here you only have
> the painful answer.
>
>
> joe
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Aramide
> Adebanjo
> Sent: Wednesday, February 16, 2005 1:27 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] HELP!!! Undelete required
>
> Hi guys,
>
> What is the fastest way of recovering a group object deleted in AD
> 2000?? The changes have been replicated to all other DCs
>
> I want something precise, nothing fanciful, something tested and
> proved working...pls don't let it involve restoring from system state
> backups, that's an option I don't want to follow...
>
> There should be a way......
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
==============================================================================
This
message is for the sole use of the intended recipient. If you received this
message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains
and monitors electronic communications sent through its network. Instructions
transmitted over this system are not binding on CSFB until they are confirmed by
us. Message transmission is not guaranteed to be
secure.
==============================================================================
