Recovering deleted Active Directory Objects and a rant on Password Security.
Hey there network administrators I don’t know if you know this but it is a VERY VERY bad thing to log into your workstations with your domain admin username and password. It is also VERY VERY bad to leave your servers logged into.
Are you logging in as a normal user? Are you logging out of your servers when you are finished with your work?
You should be…
Sure it makes stuff easier as you don’t have to authenticate over and over but it is also really really dangerous. If your session gets hijacked or your machine becomes infected guess what…
You just handed over the keys to the kingdom without a fight. Your whole network could be destroyed and compromised. What happens if your active directory objects are deleted?
If that happens lets look at a tool our friends at bauer-power.net used to recover deleted accounts. And while we are on that note does anyone know why schema changes would remove user objects in a 2008 native ad setup?
Today I walked into the office with a little bit of a shocker. One of the Help Desk users said that his, and another user’s active directory accounts on our parent company’s domain had miraculously vanished. WTF? The only changes to active directory the previous day was my co-worker was setting up OCS, and that require some schema changes. I am not sure why those schema changes would delete accounts, but whatever, this is the problem I was facing when I walked in (Still no coffee yet either).
Well it turned out to not be that huge of a deal because I found a really awesome free tool that easily finds deleted active directory objects, and with a click of the button restores them. The way active directory deletes objects is pretty cool, and it also makes it relatively easy to recover. According to Petri, “When an object is deleted from Active Directory, it is not immediately erased, but is marked for future deletion…The marker used to designate that an AD object scheduled to be destroyed is called "tombstone". A tombstone is an object whose IsDeleted property has be set to True, and it indicates that the object has been deleted but not removed from the directory, much like a deleted file is removed from the file allocation table but the data is not actually removed from the drive.”
The tool I used to recover the objects is called ADRestore.net. To use it you simply install it on one of your domain controllers, then click Enumerate Tombstones. Find the missing object (User, OU, Computer, Etc) click on it and hit restore. Easy as pie!
Yes! This works on 2008 Active Directory’s as well as 2003. How do I know? Because we are a 2008 native shop! Here is a list of the main features available:
* Browsing the tombstones
* Domain Controller targeting
* Can be used with alternative credentials (convenient if you do not logon to your desktop as Domain Admin, which you should never do anyway)
* User/Computer/OU/Container reanimation
* Preview of tombstone attributesKnow of some other good, free tools for recovering deleted AD objects? Hit us up in the comments!
What do you guys think? What if the objects were modified instead of removed? How do you deal with that? Do you have to do a restore from backup? Can you roll your AD back? Let’s here from you admins out there!
| Print article |
about 1 year ago
Good point about not logging into your workstation as domain admin. We always use two accounts here, our regular user account, and our domain admin accounts. Also, we never use the default “Administrator” account. In fact, we have disabled that altogether.
about 1 year ago
We actually set the administrator account up as a honey pot with login scripts that would make you sorry you logged in as that user :)
about 1 year ago
How far back can this tool enumerate deleted objects and restore them? Whats the cutoff?
about 1 year ago
Just keep in mind that unless you do an authoritative restore or use the 2008 R2 recycle bin, you are only bringing back the object and its SID.
Most of the other attributes (including group memberships) are lost. That is one of the primary reasons to use the R2 recycle bin; it brings back those attributes without the hassle of a full AD restore.
about 1 year ago
Jon – Depends on the tombstone life setting. I believe it defaults to 180 days.
about 1 year ago
I use netwrix AD Object Restore wizard for problems like this. It’s free and provides granular restoration of deleted users, groups, etc. I reccomend it.
about 1 year ago
Thanks Jennifer do you work for netwrix?