Hi- This isn't quite going to work.
See some notes inline. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Saturday, July 24, 2010 2:54 AM To: NT System Admin Issues Subject: AD User account restore procedure I have a business user that wants to restore a user account that was deleted from AD but they don't know the samaccountname, but they do know the SID. They also have no idea how far back this account was deleted. this is the procedure I propose. Can someone verify if this is accurate, or am I missing something. Most of this was taken from (http://support.microsoft.com/kb/840001) Thanks You need a domain controller on which to restore, and System State backups that go back as far as the user account was deleted. 1. Reboot the domain controller in Directory Services restore mode 2. Restore the most recent System State backup (will vary depending on environment). 3. User ADFIND or a similar utility to enumerate the Active Directory users with their SIDs, and locate the desired account: adfind -gc -null -f "&(objectcategory=person)(objectclass=user)" samaccountname objectid -csv >>c:\temp\Users_SID.csv [[Brian Desmond]] Without the -showdel flag on adfind you're not going to find any deleted objects. You can also filter on objectSid with adfind - look at the "-binenc" switch and the syntax in Joe's help. 4. Repeat steps 3-4 until the user account is found 5. Use NTDSUTIL to authoritatively restore the account found in step 4: [[Brian Desmond]] You would first need to do a system state restore from a tape backup that contains the live user. This can go back as far as your tombstone lifetime. ntdsutil "authoritative restore" "restore object cn=JohnDoe,ou=Mayberry,dc=contoso,dc=com" q q 6. Remove all the network cables from the recovery domain controller [[Brian Desmond]] Not necessary 7. Restart the recovery domain controller in normal Active Directory mode 8. Type the following command to disable inbound replication to the recovery domain controller: repadmin /options <recovery dc name> +DISABLE_INBOUND_REPL [[Brian Desmond]] Not necessary 9. Enable network connectivity back to the recovery domain controller whose system state was restored. [[Brian Desmond]] Not necessary 10. Outbound-replicate the auth-restored objects from the recovery domain controller to the domain controllers in the domain and in the forest: repadmin /syncall /d /e /P <recovery dc> <Naming Context> 11. [] [[Brian Desmond]] IMO if you can find it you're better undeleting the object (you can pipe adfind to admod to do this) and repopulating the attributes. You'll get the SID back which seems to be the attribute you're concerned with. Chris Bodnar, MCSE Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com<mailto:christopher_bod...@glic.com> Phone: 610-807-6459 Fax: 610-807-6003 ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
