none
Trace the deleted Active Directory Account.

    Question

  • As Audit purpose. I need list of users account which has been deleted  from today date to last 1 month.  Please help on to get this. Is it possible to find out deleted user account with date of deletion.
    Nirmal Singh IT Administrator
    Thursday, October 20, 2011 2:54 PM

Answers

  • You can use eventcombMT tool to access all the log on single server. The cmd repadmin's /showobjectmeta can also be used to trace.

    http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-deletion-in-active-directory.aspx

    http://blogs.dirteam.com/blogs/tomek/archive/2006/09/21/Auditing-directory-changes-aka-_2600_quot_3B00_Who-deleted-this-object_3F002600_quot_3B00_.aspx

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Thursday, October 20, 2011 4:39 PM
    Moderator
  • Hi,

     

    There is an example for your reference, restore the delete object Arlene Huff from the Deleted Objects container to its original state (Fabrikam.com). We can use LDP or Powershell to search the deleted objects and restore them.

     

    Method1: Restore a deleted object by using the Active Directory module

    ===============================================

    In this procedure you use the Active Directory module for Windows PowerShell to search for and restore the deleted object Arlene Huff from the Deleted Objects container to its original state, minus its group membership information.

    To restore a deleted object by using the Active Directory module

    ==================================================

    1.    Log on to the Windows Server 2008 R2 domain controller DC2 with Enterprise Admin or Domain Admin credentials.

    2.    Click Start, Administrative Tools, and then click Active Directory PowerShell.

    3.    At the command prompt, type the following command, and then press ENTER:

     

    Get-ADObject –SearchBase “CN=Deleted Objects,DC=Fabrikam,DC=com” –Filter {lastKnownParent –eq “OU=Finance,DC=Fabrikam,DC=com”} –IncludeDeletedObjects | ft distinguishedName

     

    This command returns the distinguished name of all the objects in the Deleted Objects container whose lastKnownParent attribute is the Finance OU. You know the last known parent of Arlene Huff is the Finance OU as you mounted, exposed, and discovered this information when you did the investigative work to determine which container and group Arlene Huff belonged to.

     

    In the command output, you can see that this portion, CN=Arlene Huff\0ADEL:4923acaa-ce5f-461c-9f53-944295713baa of the distinguishedName attribute for the user Arlene Huff is mangled:

     

    CN=Arlene Huff\0ADEL:4923acaa-ce5f-461c-9f53-944295713baa,CN=Deleted Objects,DC=Fabrikam,DC=com

     

    This indicates that the user object Arlene Huff is a deleted object.

     

    4.    To restore the object to its original state before the deletion occurred, type the following command at the command prompt:

     

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=Fabrikam,DC=com" -filter {lastKnownParent -eq "OU=Finance,DC=Fabrikam,DC=com"} -IncludeDeletedObjects | Restore-ADObject -NewName "Arlene Huff" -TargetPath "OU=Finance,DC=Fabrikam,dc=com"

     

    When you run this command, 0ADEL:4923acaa-ce5f-461c-9f53-944295713baa—the mangled portion of the distinguished name for the user object Arlene Huff, is removed and the object is now restored to its original state before it was deleted, minus its group membership information.

     

    Method 2: Restore a deleted object by using LDP

    =================================

    When Active Directory objects are deleted, they are placed in the Deleted Objects container. In the following procedure, you use the LDP snap-in to restore the deleted object,

    To use LDP to search for and restore a deleted Active Directory object

    ==================================================

    1.    Log on to the Windows Server 2008 domain controller DC1 with Enterprise Admin or Domain Admin credentials.

    2.    Click Start, click Run, type ldp.exe, and then click OK.

    3.    Click Connection, and then click Connect.

    4.    Because you are logged on to the domain controller that hosts the forest root domain, click OK.

    5.    Click Connection again, and then click Bind.

    6.    Under Bind type, ensure that Bind as currently logged on user is selected, and then click OK.

    7.    Click View, and then click Tree. In BaseDN, type DC=Fabrikam,DC=com, and then click OK.

    8.    Click Options, and then click Controls. In the Load Predefined menu, click Return Deleted Objects, click Check Out, click Check In, and then click OK.

    9.    In the console tree, expand DC=Fabrikam,DC=com, double-click CN=Deleted Objects,DC=Fabrikam,DC=com, and then double-click CN=Arlene Huff\0ADEL:{objectGUID},CN=Deleted Objects,DC=Fabrikam,DC=com to open the object properties.

    10. Right-click CN=Arlene Huff\0ADEL:objectGUID,CN=Deleted Objects,DC=Fabrikam,DC=com, and then click Modify.

    11. In the Modify dialog box, do the following:

    a. In Edit Entry Attribute, type isDeleted

    b. Under Operation, click Delete, and then click Enter.

    c. Return to Edit Entry Attribute, and then type distinguishedName. (If the text isDeleted is still present in the box, remove it.)

    d. In the details pane, under Dn: CN=Arlene Huff\0ADEL:objectGUID,CN=Deleted Objects,DC=Fabrikam,DC=com, copy the value for the lastknownParent attribute, and then paste it in Values. Amend this text with the CN of Arlene Huff, minus the mangled portion (\0ADEL:objectGUID) of the distinguished name, for example:

    CN=Arlene Huff,OU=Finance,DC=Fabrikam,DC=com

    12. Under Operation, click Replace, click Enter, ensure that the Extended check box is selected, and then click Run. You will see a confirmation message.

    13. Click Close to close the Modify dialog box, and then minimize LDP.

    14. Open the Active Directory Users and Computers snap-in. To open Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.

    15. Click the Finance OU, and ensure that the user Arlene Huff is present.

     

     

    If you encounter any difficulties when writing the scripts, you may submit a new question in The Official Scripting Guys Forum! which is a best resource for scripting related issues.

     

    Hope this helps!


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, October 21, 2011 2:19 PM
    Moderator
  • adrestore.net tool will help you on this. Even you can restore deleted users.

    http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx


    Darshana Jayathilake
    Thursday, October 20, 2011 4:21 PM
  • Hi,

     

    Have you seen it!

     

    http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-deletion-in-active-directory.aspx


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Friday, October 21, 2011 7:12 AM
  • Free AD restoration tool.

    http://social.technet.microsoft.com/wiki/contents/articles/free-ad-objects-recovery-tools.aspx

    How to Manage Our Environment AD Restoration without Any Downtime of any DC

    http://social.technet.microsoft.com/wiki/contents/articles/how-to-manage-our-environment-ad-restoration-without-any-downtime-of-any-dc.aspx

     


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Saturday, October 22, 2011 12:40 PM

All replies

  • Hello,

    do you have enabled auditing on the domain controllers OU? If yes which options are configured? Without any auditing configured you can't do it backwards.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, October 20, 2011 2:56 PM
  • Hi,

    Pls see the link you will get the events but you need to be audit enabled.
    http://blogs.dirteam.com/blogs/jorge/archive/2008/04/29/auditing-in-windows-server-2008.aspx

    http://support.microsoft.com/kb/174074

    Hope this helps.

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.
    • Marked as answer by Nirmal Singh Thursday, October 20, 2011 3:34 PM
    • Unmarked as answer by Nirmal Singh Thursday, October 20, 2011 3:34 PM
    Thursday, October 20, 2011 3:12 PM
  • I know these possiblity but i donot want export this using event logs. Is there any script avilable that can patch data from deleted container from active directory database.
    Nirmal Singh IT Administrator
    Thursday, October 20, 2011 3:35 PM
  • adrestore.net tool will help you on this. Even you can restore deleted users.

    http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx


    Darshana Jayathilake
    Thursday, October 20, 2011 4:21 PM
  • You can use eventcombMT tool to access all the log on single server. The cmd repadmin's /showobjectmeta can also be used to trace.

    http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-deletion-in-active-directory.aspx

    http://blogs.dirteam.com/blogs/tomek/archive/2006/09/21/Auditing-directory-changes-aka-_2600_quot_3B00_Who-deleted-this-object_3F002600_quot_3B00_.aspx

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Thursday, October 20, 2011 4:39 PM
    Moderator
  • You can use a tool like adfind from Joe Richards to help a little bit.  This is in addition to auditing

    http://www.joeware.net/freetools/tools/adfind/index.htm

    adfind -default -showdel -f "&(objectclass=user)(isdeleted=TRUE)" samaccountname whenchanged -tdca

    Whenchanged is not replicated but in reality once your objects have passed the tombstone lifetime you can't search for them anyway.  Tombstone lifetime is either 60 or 180 days by default.

     

    Tanks

    Mike


    http://adisfun.blogspot.com
    Follow @mekline
    Thursday, October 20, 2011 4:48 PM
  • you can query AD for deleted objects and check the originating time of the isDeleted attribute. That tells you WHEN and on WHICH DC the object was deleted
     

    <o:p></o:p>

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "Nirmal Singh" wrote in message news:ba11d5a2-f30b-4163-913e-21f3941593c3@communitybridge.codeplex.com...
    As Audit purpose. I need list of users account which has been deleted  from today date to last 1 month.  Please help on to get this. Is it possible to find out deleted user account with date of deletion.
    Nirmal Singh IT Administrator

    Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)
    Friday, October 21, 2011 7:07 AM
    Moderator
  • Hi,

     

    Have you seen it!

     

    http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-deletion-in-active-directory.aspx


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Friday, October 21, 2011 7:12 AM
  • Hi,

     

    There is an example for your reference, restore the delete object Arlene Huff from the Deleted Objects container to its original state (Fabrikam.com). We can use LDP or Powershell to search the deleted objects and restore them.

     

    Method1: Restore a deleted object by using the Active Directory module

    ===============================================

    In this procedure you use the Active Directory module for Windows PowerShell to search for and restore the deleted object Arlene Huff from the Deleted Objects container to its original state, minus its group membership information.

    To restore a deleted object by using the Active Directory module

    ==================================================

    1.    Log on to the Windows Server 2008 R2 domain controller DC2 with Enterprise Admin or Domain Admin credentials.

    2.    Click Start, Administrative Tools, and then click Active Directory PowerShell.

    3.    At the command prompt, type the following command, and then press ENTER:

     

    Get-ADObject –SearchBase “CN=Deleted Objects,DC=Fabrikam,DC=com” –Filter {lastKnownParent –eq “OU=Finance,DC=Fabrikam,DC=com”} –IncludeDeletedObjects | ft distinguishedName

     

    This command returns the distinguished name of all the objects in the Deleted Objects container whose lastKnownParent attribute is the Finance OU. You know the last known parent of Arlene Huff is the Finance OU as you mounted, exposed, and discovered this information when you did the investigative work to determine which container and group Arlene Huff belonged to.

     

    In the command output, you can see that this portion, CN=Arlene Huff\0ADEL:4923acaa-ce5f-461c-9f53-944295713baa of the distinguishedName attribute for the user Arlene Huff is mangled:

     

    CN=Arlene Huff\0ADEL:4923acaa-ce5f-461c-9f53-944295713baa,CN=Deleted Objects,DC=Fabrikam,DC=com

     

    This indicates that the user object Arlene Huff is a deleted object.

     

    4.    To restore the object to its original state before the deletion occurred, type the following command at the command prompt:

     

    Get-ADObject -SearchBase "CN=Deleted Objects,DC=Fabrikam,DC=com" -filter {lastKnownParent -eq "OU=Finance,DC=Fabrikam,DC=com"} -IncludeDeletedObjects | Restore-ADObject -NewName "Arlene Huff" -TargetPath "OU=Finance,DC=Fabrikam,dc=com"

     

    When you run this command, 0ADEL:4923acaa-ce5f-461c-9f53-944295713baa—the mangled portion of the distinguished name for the user object Arlene Huff, is removed and the object is now restored to its original state before it was deleted, minus its group membership information.

     

    Method 2: Restore a deleted object by using LDP

    =================================

    When Active Directory objects are deleted, they are placed in the Deleted Objects container. In the following procedure, you use the LDP snap-in to restore the deleted object,

    To use LDP to search for and restore a deleted Active Directory object

    ==================================================

    1.    Log on to the Windows Server 2008 domain controller DC1 with Enterprise Admin or Domain Admin credentials.

    2.    Click Start, click Run, type ldp.exe, and then click OK.

    3.    Click Connection, and then click Connect.

    4.    Because you are logged on to the domain controller that hosts the forest root domain, click OK.

    5.    Click Connection again, and then click Bind.

    6.    Under Bind type, ensure that Bind as currently logged on user is selected, and then click OK.

    7.    Click View, and then click Tree. In BaseDN, type DC=Fabrikam,DC=com, and then click OK.

    8.    Click Options, and then click Controls. In the Load Predefined menu, click Return Deleted Objects, click Check Out, click Check In, and then click OK.

    9.    In the console tree, expand DC=Fabrikam,DC=com, double-click CN=Deleted Objects,DC=Fabrikam,DC=com, and then double-click CN=Arlene Huff\0ADEL:{objectGUID},CN=Deleted Objects,DC=Fabrikam,DC=com to open the object properties.

    10. Right-click CN=Arlene Huff\0ADEL:objectGUID,CN=Deleted Objects,DC=Fabrikam,DC=com, and then click Modify.

    11. In the Modify dialog box, do the following:

    a. In Edit Entry Attribute, type isDeleted

    b. Under Operation, click Delete, and then click Enter.

    c. Return to Edit Entry Attribute, and then type distinguishedName. (If the text isDeleted is still present in the box, remove it.)

    d. In the details pane, under Dn: CN=Arlene Huff\0ADEL:objectGUID,CN=Deleted Objects,DC=Fabrikam,DC=com, copy the value for the lastknownParent attribute, and then paste it in Values. Amend this text with the CN of Arlene Huff, minus the mangled portion (\0ADEL:objectGUID) of the distinguished name, for example:

    CN=Arlene Huff,OU=Finance,DC=Fabrikam,DC=com

    12. Under Operation, click Replace, click Enter, ensure that the Extended check box is selected, and then click Run. You will see a confirmation message.

    13. Click Close to close the Modify dialog box, and then minimize LDP.

    14. Open the Active Directory Users and Computers snap-in. To open Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.

    15. Click the Finance OU, and ensure that the user Arlene Huff is present.

     

     

    If you encounter any difficulties when writing the scripts, you may submit a new question in The Official Scripting Guys Forum! which is a best resource for scripting related issues.

     

    Hope this helps!


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, October 21, 2011 2:19 PM
    Moderator
  • Free AD restoration tool.

    http://social.technet.microsoft.com/wiki/contents/articles/free-ad-objects-recovery-tools.aspx

    How to Manage Our Environment AD Restoration without Any Downtime of any DC

    http://social.technet.microsoft.com/wiki/contents/articles/how-to-manage-our-environment-ad-restoration-without-any-downtime-of-any-dc.aspx

     


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Saturday, October 22, 2011 12:40 PM