Note that the adfind query will be a trifle slow as that is
going to have to walk every object in the directory, in larger orgs that could
easily time out so you will want to add the -t 0 option to specify unlimited
timeout.
If you know the name of the object when looking for it, I
recommend sticking to the NC it existed in and then use something
like
adfind -b Deleted_Objects_for NC_DN -showdel -f
"&(isdeleted=TRUE)(name=whatever*)"
The whatever* is necessary for the object rename that
occurs. There are some objects that don't go to the deleted objects container
but instead remain in the container they were in when "deleted". This mostly
occurs on site type objects in the config though, I have not seen a user
configured that way though I don't think there is anything preventing it but
someone would have had to have known how to pull it off.
I haven't gone through this entire extensive thread but I
think it is about a missing user. There are a couple of things it could
be
1. User isn't missing, simply renamed. Without GUID of old
object, good luck figuring out which object it is now.
2. User isn't missing, simply moved to another
domain.
3. Object was deleted and the search for it isn't being
done properly or possibly this is in combination with 1and/or 2
above.
4. User was deleted and person searching doesn't have
rights to see deleted objects (easy to test).
5. Object was a dynamic object and timed out and went away.
Doubtful it occurred here. Nothing would lead me to believe that someone was up
on that capability enough to do it.
I would start by doing the search as I indicated above. If
nothing found, I would dump all deleted user objects and look at them. If that
doesn't come up with it, I would expect someone renamed it and possibly moved to
another domain.
Oh in specific reference to this
"that wont work.
You have to restore(reanimate) the object from the
Deleted Objects container back into AD to run repadmin /showmeta GUID.....
otherwise it won't work.
i could be wrong.."
That is incorrect, you can use the <GUID=blah> format
to see deleted objects. That is just a DN format that AD accepts period.
Make note that 2K doesn't do this as nicely as K3. I.E. You would have to use
"<GUID=de52f5e3cbe996419037a039121df280>" instead of
"<GUID=E3F552DE-E9CB-4196-9037-A039121DF280>". Also note that if you can
find the object with adfind, use -extname and it will kick out the extended SID
and GUID names of the objects for you.
I would honestly stop worrying about ldp and repadmin and
just sit down and find the object with adfind. If it is there and the person
doing the searching has permissions, they should be able to find it.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, January 11, 2006 4:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange deleted object issue
Hi Tom, i used the following:
if the user yann is deleted from AD:
1) adfind -default -showdel -f isdeleted=TRUE -gc > del.txt to
list all deleted users in del.txt (the -gc query the GCs, i found it much faster
to query gcs than dcs).
2) search for your user yann and pickup it's DN "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted
Objects,DC=univ-lyon1,DC=fr".
3) type repadmin /showobjmeta MYDC
"CN=dac\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted
Objects,DC=univ-lyon1,DC=fr" | find /i "isdeleted" to localize the DC in
which the deletion occured.
Ex: here is the result of the command: 17730966 MYSITE\MYDC 17730966 2005-10-27 10:37:11 1
isDeleted
You can see that the deletion occured at 10:37:11 AM the 2005-10-27
on the DC "MYDC".
4) you can then use psloglist \\MYDC security -i 630 -a 10/27/05 which shows u
all deleted accounts occured before the 10/27/05, or connect to MYDC to search
in the event security log.
If you can not find your user at the time, it may be that an
other domain admin has disabled the policy account applied by default, so you
may see with your peers to confirm this.
hope it helps
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Tom Kern
Envoyé : mercredi 11 janvier 2006 01:24
À : ActiveDir@mail.activedir.org
Objet : Re: [ActiveDir] Strange deleted object issue
that wont work.
You have to restore(reanimate) the object from the Deleted Objects
container back into AD to run repadmin /showmeta GUID..... otherwise it won't
work.
i could be wrong..
Besides this won't help me figure out who deleted it or why the audit
wasn't logged.
p.s.- i have the Forestry book and think its great and well worth the hefty
price.
On 1/10/06, Mark
Parris <[EMAIL PROTECTED]>
wrote:
If I recall, he reset the permissions on the ou/container which holds the deleted objects then you could query it with out reanimating anything.
-----Original Message-----
From: Tom Kern <[EMAIL PROTECTED]>
Date: Tue, 10 Jan 2006 17:03:11
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange deleted object issue
I thought to do that you first have to reanimate the object from the Deleted Objects container before you can search on the GUID.
The deletion occured in a Win2k forest. I think what you are talking about you can only do in a WIn2k3 DFL forest.
Besides, that will only tell me the DC and time the isDeleted attrib was set. It wont tell me the user or process that deleted it.
thats what i really need and as my DC's seem to mysteriously stopped logging event id 630 or 565, i'm screwed.
thanks alot
On 1/10/06, Mark Parris <[EMAIL PROTECTED]> wrote: Use repadmin to check the objects metadata, can usually find the DC where the deletion occured and also who did it.
The Active Directory forestry book by john craddock is an excellent resource for this type of AD audit.
-----Original Message-----
From: Tom Kern <[EMAIL PROTECTED] >
Date: Tue, 10 Jan 2006 15:53:18
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange deleted object issue
It logged the creation/deletion.
My question is- i've always had this policy set and yet an account got deleted last nite and i can't find any record of it.
the security logs have not been cleared and are set to stay for 7 days.
still i know a user account ended up in the deleted objects container with a whenChanged date of 20060109202458.
someone/thing must have deleted it and there is no entry in the event logs of any DC.
what gives?
Thanks
On 1/10/06, Coleman, Hunter <[EMAIL PROTECTED] > wrote:
Create a user account, then delete it. Note which DC you're connected to for the delete, then check the security log on that DC. Look at all of the events around the time you deleted the account so that you'll know what is actually getting logged.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Tuesday, January 10, 2006 1:23 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange deleted object issue
Yes.
Thanks.
I just have 2 issues.
1. I don't understand why i get that error in ldp when i enter the oid control for deleted objects
2. Most importantly, i had audit account management enabled for sucess and failure on my domain controllers ou and auditing enabled for everyone for everything on the entire domain object, yet when i use evencombMT to scan for an event id 630 in the security log, i get nothing.
this account was deleted last nite so something should show up with this auditing enabled, no?
do i have to set some other security policy like audit directory service access as well?
I figured account management should cover deleting a user object.
Thanks
On 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
I've deleted the rest of the thread already, but did you not already say you found him in the deleted items using ADFIND -showdel?
Or did I misread that and you're still looking for him?
On 1/10/06, Tom Kern <[EMAIL PROTECTED]> wrote:
I'm just using ADUC and searching by sAMAccountName.
With LDP, i'm looking in Deleted Objects container but this company never deletes users accounts, just disables them indefinetly so all i see in that container are linkTrackOMTEntry objects.
How can i see if the user was renamed?
I got a call from help desk that this user couldn't log in and they couldn't find him in AD using ADUC which i confirmed.
he's been witht the corp for 5 years and i was assured he always had an account.
Thanks
On 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
how do you know he's missing exactly? I mean, are you sure the account wasn't changed for example? Maybe renamed somehow?
When you search, how are you searching exactly?
On 1/10/06, Tom Kern <[EMAIL PROTECTED]> wrote:
I have this weird issue-
A user object is missing from my win2k native mode domain.
I know because this user has complained that he can't log in and i can't find the object anywhere in AD.
I've checked the deleted objects container in AD with ldp and he is not in there as well.
He's not in the Lost and Found container either.
His exchange mailbox is oprhaned in ESM.
Sometime last nite this user was deleted but i have no way of finding him. we don't have auditing turned on for that but i figured if an object was deleted it would definetely be in the deleted objects container.
is there anyway to bypass that?
where else can i look?
Any help would be great because this is just plain bizzare.
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
