Click on Pictures to View

To view a larger version of an image within a post, just click on the picture you want to view :)
Showing posts with label Windows event 4743. Show all posts
Showing posts with label Windows event 4743. Show all posts

Friday, June 23, 2017

Recover Deleted Active Directory Object

Today I needed to restore an object accidentally deleted from Active Directory Users & Computers.  There is likely another or more direct way to do this but this is what I did.

Here was my process after I was given the name of the computer needing recovery and approximate time it was deleted:

1.  Connected to the Event Viewer of the domain controller the object was just deleted from

  • Open Event Viewer
  • Go to menu "Action" and select "Connect to Another Computer..."
  • Check option to connect to "Another computer" and type the name of the domain controller & click OK

2.  Explore and filter Security event logs for account deletion events for computer SID

  • Click "Security" under "Windows Logs" in left pane
  • In right pane under "Actions" choose "Filter Current Log..."
  • Enter the event ID 4743 in <All Event IDs> box to filter by category "Computer Account Management"
  • Checked events near the date and time reported by the tech (I believe you can sort further with other criteria, but I didn't have a lot of security events so it was just as easy to click on a few entries)
  • Located event with Target Computer Account Name matching the object's name followed by $
  • Copied the Security ID (SID) of the deleted computer given in the event (just above the Account Name)


3) Launch ldp.exe from an elevated (aka run as administrator) command prompt

  • Locate cmd.exe
  • Right click and "Run as administrator"
  • Type and then press enter: ldp.exe

4) Display the Deleted Objects container in Ldp.exe admin tool (taken from MS Technet, source listed at end of post)

  • On the "Options" menu, click "Controls"
  • In the "Controls" box, choose "Return deleted objects" from the "Load Predefined" drop-down menu
  • Connect and bind to the domain controller
    • Click "Connections" menu, click "Connect" and type the domain controller name
    • Click OK
    • Under "Connections" menu again, click "Bind" and choose "Bind as currently logged in user" (you'll need the proper rights to do this of course)
    • Click "View" menu, select "Tree" and for BaseDN type DC=<mydomain>,DC=<com> where <mydomain> and <com> are the appropriate names of your domain/AD DS environment
    • Double-click the root of the tree and find CN=Deleted Objects, DC=<mydomain>,DC=<com>, again where  <mydomain> and <com> are the appropriate names for your environment


5) Search in Ldp.exe for the SID

  • Click "Utilities" from the menu bar, and select "Sid lookup"
  • Enter or paste the SID from the Security event log found earlier in Step 2
  • Ldp.exe will return the current distinguished name of the object followed by SID, for example:

                CN=JenLaptop\0ADEL:91efb6d4-ecec-4e9a-a245-d7d9080e34a8,CN=Deleted
                        Objects,DC=austec,DC=com [S-1-5-21-1883794253-430958161-68370779-32434]

6) Restore the deleted computer to Active Directory UC (FYI you have to run Ldp.exe from an elevated command prompt to do this part, and must be a member of Domain Admins or equivalent to complete the procedure)

  • Right click in the results pane and select "Modify" in the popup menu
  • In DN, make sure the distinguished name for the object returned in the results list from the SID search is present (without the SID in brackets), for example (using name in example object above):

            CN=JenLaptop\0ADEL:91efb6d4-ecec-4e9a-a245-d7d9080e34a8,CN=Deleted
                    Objects,DC=austec,DC=com

  • In "Edit Entry Attribute" type isDeleted
  • Leave the "Values" box empty
  • Under "Operation" click Delete, and then click Enter button, just to the right
  • Now in "Edit Entry Attribute" replace isDeleted and type distinguishedName
  • In "Values" type the original distinguished name (aka DN) of the Active Directory object
  • Under "Operation" choose Replace
  • Check the box for Extended
  • Click Enter button again
  • Finally, click Run


7)  Check the results window for entry to ***Call Modify... to make sure it was successfully modified

 8)  Last, go into Active Directory Users and Computers and look for the restored object.



Sources:

 Work with Event Logs on a Remote Computer - https://technet.microsoft.com/en-us/library/cc766438(v=ws.11).aspx
4743 - A Computer Account was Deleted -
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4743
Viewing Deleted Objects in Active Directory - https://support.microsoft.com/en-us/help/258310/viewing-deleted-objects-in-active-directory
Restore a Deleted Active Directory Object - https://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx
How to Recover Deleted Object from Active Directory Using LDP.exe - http://techguyvijay.blogspot.com/2012/01/how-to-recover-deleted-object-from.html
Posted by at No comments:
Labels: , , , , , , ,

Wednesday, September 14, 2016

Computers Disappear from Active Directory/Domain

Discovered our MacBooks were “disappearing” out of Active Directory and falling off the domain (lost domain access).  One disappeared during lunch break today.  5 steps taken to resolve:
1)    Confirmed the deleted object (from today at lunch) existed in the Deleted Objects container.
            I used Ldp.exe to search the domain for deleted objects.
            To use Ldp to search the domain for deleted objects (tombstones)
1.      On the Start menu, click Run , and then type ldp .
2.      Connect and bind to a domain controller in the domain whose tombstones you want to retrieve.
o    To connect, on the Connection menu, click Connect , and then type a server name and a port number.
o    To bind, on the Connection menu, click Bind , and then type an account name, password, and domain if you want to connect to a domain other than the domain to which you are currently logged on.
3.      On the Browse menu, click Search .
4.      In the Search dialog box, for Base DN , type the distinguished name of the domain whose tombstones you want to retrieve.
5.      In the Filter box, use the filter (isDeleted=*) .
6.      Under Scope , click Subtree .
7.      Click Options .
8.      In the Search Options dialog box, under Search Call Type , click Extended .
9.      Click Controls . Then in the Object Identifier box, type the following:
1.2.840.113556.1.4.417
10.  Under Control Type , click Server .
11.  To add the control to the Active Controls list, click Check in . Then click OK .
12.  In the Search Options dialog box, click OK .
13.  In the Search dialog box, click Run .
SOURCE: https://technet.microsoft.com/en-us/library/cc978013.aspx

2)    Used command repadmin /showobjmeta with deleted object’s DN found in ldp.exe

Syntax

        repadmin /showobjmeta [DSA_LIST] <Object DN> [/nocache] [/linked]
 
Here’s the command I used (using quotes around the Object DN because of spaces in the name): repadmin /showobjmeta “CN=macX\0ADEL:bfe5e5d0-3f16-4897-9f2f-3691adeea02a,CN=Deleted Objects,DC=mydomain,DC=com”
 
3)    Confirmed Originating DSA on “isDeleted” entry, along with date and time attribute action was done.
“The originating DSA is a GUID that identifies the domain controller that performed the originating write.”
“You can see all three components of the stamp in output from the repadmin /showmeta command. The column labeled "Ver" contains the version, the column labeled "Org. Time/Date" contains the originating time, and the column labeled "Originating DSA" contains the originating DSA (expressed as "site\server" rather than GUID).”
SOURCE:  https://technet.microsoft.com/en-us/library/cc961798.aspx
4)    Logged onto that Domain Controller, and checked Event Viewer Security Logs with the timestamp from the repadmin output.
Found a Windows Security Event Log 4743: A Computer Account Was Deleted, with a specific domain account name associated to the action.
SOURCE:  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4743
Subject:
The user and logon session that performed the action.
  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. 
Taget Computer: 
  • Security ID:  SID of the account
  • Account Name:  name of the account
  • Account Domain: domain of the account

5)     Traced the issue to our MDM Active Directory profile

It was trying to download to Macs the AD profile in its associated SMART group.  The MDM was using the same account credentials as shown in the Security Event log event.  This profile wasn’t working correctly to begin with (was not downloading successfully to devices) and it appeared that either it began unjoining the Macs in the associated smart group, or was causing distrust by the domain controller that supposedly may have deleted the computer.



SOURCES:
Searching for Deleted Objects:  https://technet.microsoft.com/en-us/library/cc978013.aspx
Viewing Deleted Objects in Active Directory:  https://support.microsoft.com/en-us/kb/258310
Computer Accounts DELETED from Active Directory (forum thread):  http://www.edugeek.net/forums/windows-server-2000-2003/112820-computer-accounts-deleted-active-directory.html
Repadmin /showobjmeta:  https://technet.microsoft.com/en-us/library/cc742104(v=ws.11).aspx
Tracking Active Directory Updates:  https://technet.microsoft.com/en-us/library/cc961798.aspx
4743 – A Computer Account was Deleted:  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4743


Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)