locked
Restore computer account RRS feed

  • Question

  • Hi,

    We are looking to install new process to automate the cleaning of unused computer account.

    My question , if we delete accidentally a computer object what's the best practice:

    •  Restore computer account
    • Create new account

    Thank you in advance for your recommendations 

    Saturday, December 7, 2019 3:02 AM

Answers

  • HI,

    You can protect a AD object against deleted accidentally.

    If a object was deleted accidentally , you can restore it through active directory recycle bin if you enabled it before the object deletion.


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marked as answer by RichardT48 Friday, December 13, 2019 12:54 PM
    Saturday, December 7, 2019 3:16 AM
  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, I agree with the above two.

    For the option "Restore computer account", we can use built-in LDP tool to restore the account (maybe it is a lit complex).

    Or if our forest and domain functional level needs to be Windows Server 2008 R2 (including 2008 R2) or above and we have enabled AD Recycle Bin, we can restore the account from the Deteted Objects container (maybe we can not enable AD Recycle Bin by default).

    For the option "Create new account", we can remove the machine from the domain  and rejoin it to the domain again simply.


    Whether we select to restore the computer or create new account, it depends on our existing environment and conditions and emergency level.


    Meanwhile, to avoid accidental deletion of AD objects, it is recommended that we check the option “Protect object from accidental deletion” when we create new AD objects.




    Reference:

    Active Directory: Recovery of accidentally deleted OUs and their objects
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/db930c81-f2dc-44b9-8b20-e5d3ca29df45/active-directory-recovery-of-accidentally-deleted-ous-and-their-objects?forum=winserverDS




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 9, 2019 4:15 AM
  • You can protect the account against accidental deletion and you can use PowerShell to script a massive / automatic update. If it happens that an account was mistakenly cleaned then you can restore it or just re-join the PC. You need to be careful that this won't work well if 1) the computer SID is used for authorization (This is rare but if this is the case, you need to update the SID on the authorizing system) and 2) the computer is member of specific security groups (In this case, you need to add the membership for authorizations to work as expected).

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by RichardT48 Friday, December 13, 2019 12:54 PM
    Wednesday, December 11, 2019 8:47 AM
  • HI,

    We have restored the computer account and rejoin the server to domain.

    I have a question about recycle , we have a domain but we are not sure if recycle bin is enabled or not. Can you tell me how can I check it ?

    HI,

    you can run the following command to check the recycle bin status:

    Get-ADOptionalfeature -Filter  {name -like"recycle bin feature"}

    if EnabledScopes is empty that means that the recycle bin feature is disabled:


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marked as answer by RichardT48 Monday, December 16, 2019 12:21 PM
    Friday, December 13, 2019 2:18 PM
  • Thank you Thameur for your answer.

    I have another question about recycle bin. Can we enable it in only one domain in a forest multi domains? 

    No , recycle bin can be enabled from forest level, and the rollback is not possible because it is a settings on configuration partition.

    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marked as answer by RichardT48 Monday, December 16, 2019 3:27 PM
    Monday, December 16, 2019 1:43 PM

All replies

  • Simplest is likely to disjoin / join domain again.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, December 7, 2019 3:12 AM
  • HI,

    You can protect a AD object against deleted accidentally.

    If a object was deleted accidentally , you can restore it through active directory recycle bin if you enabled it before the object deletion.


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marked as answer by RichardT48 Friday, December 13, 2019 12:54 PM
    Saturday, December 7, 2019 3:16 AM
  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, I agree with the above two.

    For the option "Restore computer account", we can use built-in LDP tool to restore the account (maybe it is a lit complex).

    Or if our forest and domain functional level needs to be Windows Server 2008 R2 (including 2008 R2) or above and we have enabled AD Recycle Bin, we can restore the account from the Deteted Objects container (maybe we can not enable AD Recycle Bin by default).

    For the option "Create new account", we can remove the machine from the domain  and rejoin it to the domain again simply.


    Whether we select to restore the computer or create new account, it depends on our existing environment and conditions and emergency level.


    Meanwhile, to avoid accidental deletion of AD objects, it is recommended that we check the option “Protect object from accidental deletion” when we create new AD objects.




    Reference:

    Active Directory: Recovery of accidentally deleted OUs and their objects
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/db930c81-f2dc-44b9-8b20-e5d3ca29df45/active-directory-recovery-of-accidentally-deleted-ous-and-their-objects?forum=winserverDS




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 9, 2019 4:15 AM
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 11, 2019 8:37 AM
  • You can protect the account against accidental deletion and you can use PowerShell to script a massive / automatic update. If it happens that an account was mistakenly cleaned then you can restore it or just re-join the PC. You need to be careful that this won't work well if 1) the computer SID is used for authorization (This is rare but if this is the case, you need to update the SID on the authorizing system) and 2) the computer is member of specific security groups (In this case, you need to add the membership for authorizations to work as expected).

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by RichardT48 Friday, December 13, 2019 12:54 PM
    Wednesday, December 11, 2019 8:47 AM
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
    Again thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 13, 2019 3:58 AM
  • HI,

    We have restored the computer account and rejoin the server to domain.

    I have a question about recycle , we have a domain but we are not sure if recycle bin is enabled or not. Can you tell me how can I check it ?

    Friday, December 13, 2019 12:53 PM
  • HI,

    We have restored the computer account and rejoin the server to domain.

    I have a question about recycle , we have a domain but we are not sure if recycle bin is enabled or not. Can you tell me how can I check it ?

    HI,

    you can run the following command to check the recycle bin status:

    Get-ADOptionalfeature -Filter  {name -like"recycle bin feature"}

    if EnabledScopes is empty that means that the recycle bin feature is disabled:


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marked as answer by RichardT48 Monday, December 16, 2019 12:21 PM
    Friday, December 13, 2019 2:18 PM
  • Thank you Thameur for your answer.

    I have another question about recycle bin. Can we enable it in only one domain in a forest multi domains? 

    Monday, December 16, 2019 12:23 PM
  • Thank you Thameur for your answer.

    I have another question about recycle bin. Can we enable it in only one domain in a forest multi domains? 

    No , recycle bin can be enabled from forest level, and the rollback is not possible because it is a settings on configuration partition.

    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marked as answer by RichardT48 Monday, December 16, 2019 3:27 PM
    Monday, December 16, 2019 1:43 PM
  • Thank you for your confirmation. I appreciate your help
    Monday, December 16, 2019 3:28 PM