locked
Directory Services Recycle Bin - Will not restore computer accounts. RRS feed

  • Question

  • AD Server 2016

    When restoring deleted objects from Active directory recycle Bin. All user accounts work. Computer account do not restore except for the Linux systems that have been added to AD.

    The error we get is " An attempt was made to modify an object to include an attribute that is not legal for its class"

    This has started happening the last few months.


    • Edited by JohnW777 Monday, August 28, 2017 8:31 PM
    Monday, August 28, 2017 3:32 PM

Answers

  • I had the same issue as you.

    I ended up opening support case with MS.

    The problem was caused by attribute missing during 2016 schema update.

    Attribute name was: msDS-KeyCredentialLink

    I added it to Computer Class  attribute list and it fixed the issue.

    • Marked as answer by JohnW777 Thursday, March 22, 2018 1:23 PM
    Tuesday, November 28, 2017 3:17 PM

All replies

  • Hi JohnW777,

    Do you mind verifying the steps from below link.

    Ad recycle object restore step by step.

    https://technet.microsoft.com/en-us/library/dd379509%28WS.10%29.aspx?f=255&MSPPError=-2147217396

    If the operation is no problem,based on the current situation, I would like to collect more details to narrow down this issue ,can you show me the log in the event viewer?

    Thank you for your kindly understanding and patience.

    Best Regards,

    Tobias Fang


    [‎8/‎28/‎2017 11:00 AM] Liping jiang (Shang Hai Wei Chuang Ruan Jian): Please remember to <b>mark the replies as answers</b> if they help.<br/> If you have feedback for TechNet Subscriber Support, contact <a href="mailto:tnmff@microsoft.com"> tnmff@microsoft.com</a>.

    • Proposed as answer by RomanMulley Tuesday, August 29, 2017 9:30 AM
    Tuesday, August 29, 2017 7:18 AM
  • Is it in the Deleted Items container in Active Directory Administrative Center?

    If so, follow these instructions from Microsoft to recover it:

    https://blogs.technet.microsoft.com/canitpro/2014/07/28/step-by-step-restoring-a-deleted-object-via-active-directory-recycle-bin/

    Please read this link: how to restore deleted computer account in Active directory

    When an object is deleted it enters “deleted” state and is moved to the “Deleted Objects” container. Get help from this article to restore deleted objects in Active Directory: https://www.lepide.com/blog/restore-deleted-objects-in-active-directory/

    Step 1: Enable Active Directory Recycle Bin
    Step 2: Restore a Deleted Active Directory Object
    Regarding error run each of these verify that the complete successfully:

    Setup.com /PrepareSchema

    Setup.com /PrepareAD

    Setup.com /PrepareAllDomains

    also, once check this article for planning an Active Directory backup and restoration:
    http://www.askme4tech.com/planning-active-directory-backup-and-restoration

    Hope this helps!


    Solution for Active Directory auditing, monitoring and management.

    • Proposed as answer by RomanMulley Tuesday, August 29, 2017 9:30 AM
    Tuesday, August 29, 2017 9:29 AM
  • The AD recycle Bin is enabled and has been for many years.

    The problem is at the point of finding the deleted item in the Active Directory Administrative Center.

    Right click restore. The error is displayed "An attempt was made to modify an object to include an attribute that is not legal for its class". A deleted user account works - A Linux computer account works. Once I image a new system. The moment I add it back onto the domain the restore feature will not work. If a imaged laptop has not been turned on then that will also be able to be restored. It seems as soon as it Hits the group policys (laps,Bitlocker, etc etc... ) Then the feature will break for that computer account. As the Linux computer accounts do not pick up GP they can be restored.

    This worked for many years and just started happening. Around when we started to use LAPS.

    Very frustrating and no information online. This was the last stop before we opened a MS case.



    • Edited by JohnW777 Tuesday, August 29, 2017 6:08 PM
    • Proposed as answer by Tobiasfang Wednesday, September 20, 2017 2:16 AM
    • Unproposed as answer by Tobiasfang Thursday, September 21, 2017 1:56 AM
    Tuesday, August 29, 2017 3:40 PM
  • I am unable to restore the items through that method either.

    Also I have checked over and over for event logs and Nothing.




    • Edited by JohnW777 Tuesday, August 29, 2017 6:08 PM
    Tuesday, August 29, 2017 3:41 PM
  • Hi exitista ,

    Before we go further, I would like to confirm the following questions:

    Before the issue happened, did you do any modifications? For example, did you add attributes to ad schema to create computer account for linux.

    Best Regards,

    Tobias Fang


    Please remember to <b>mark the replies as answers</b> if they help and <b>unmark</b> them if they provide no help.<br/> If you have feedback for TechNet Subscriber Support, contact <a href="mailto:tnmff@microsoft.com"> tnmff@microsoft.com</a>.

    Friday, September 1, 2017 7:46 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Tobias Fang

    Friday, September 8, 2017 5:02 AM
  • LDP.exe returns about the same error...

    Error 0x207D An attempt was made to modify an object to include an attribute that is not legal for its class.

    Monday, October 16, 2017 5:12 PM
  • I had the same issue as you.

    I ended up opening support case with MS.

    The problem was caused by attribute missing during 2016 schema update.

    Attribute name was: msDS-KeyCredentialLink

    I added it to Computer Class  attribute list and it fixed the issue.

    • Marked as answer by JohnW777 Thursday, March 22, 2018 1:23 PM
    Tuesday, November 28, 2017 3:17 PM
  • How did you find out that it was that specific attribute? We're getting the same thing when trying to restore Windows 10 objects.

    Just double checked ADSI and we do have MsDS-KeyCredentialLink, which is the only attribute different than say a Windows 7 machine that restores fine.

    • Edited by 98cwitr Tuesday, December 5, 2017 4:28 PM
    Tuesday, December 5, 2017 3:35 PM
  • Repadmin /showobjmeta * “your-deleted-computer-dn” >Outfile.txt

    Compare with schema.

    Thursday, December 7, 2017 10:49 PM
  • Zelden mentioned the adding the msDS-KeyCredentialLink attribute to the computer class.  We already had that and were getting the error.  However, when we added the msDS-KeyCredentialLink-BL attribute to the computer class and forced replication (could have waited but were anxious to test), the issue resolved immediately.  Hope this helps. 

    • Edited by kse412 Friday, December 15, 2017 12:19 PM
    • Proposed as answer by kse412 Wednesday, December 20, 2017 2:44 PM
    Thursday, December 14, 2017 12:27 PM
  • Thank you!!

    Same here... I had to add the attribute "msDS-KeyCredentialLink-BL" to the computer class.

    Seems to be related to the "new Microsoft Passport (MS Schema Attribute Documentation, attributes are for “Windows Server vNext” & subject to change)".

    Perhaps is also due to the machine was Windows 10 with BitLocker enabled...

    Anyway, thank you very much!!!

    Thursday, April 12, 2018 10:18 AM