Click on Pictures to View

To view a larger version of an image within a post, just click on the picture you want to view :)

Friday, June 23, 2017

Recover Deleted Active Directory Object

Today I needed to restore an object accidentally deleted from Active Directory Users & Computers.  There is likely another or more direct way to do this but this is what I did.

Here was my process after I was given the name of the computer needing recovery and approximate time it was deleted:

1.  Connected to the Event Viewer of the domain controller the object was just deleted from

  • Open Event Viewer
  • Go to menu "Action" and select "Connect to Another Computer..."
  • Check option to connect to "Another computer" and type the name of the domain controller & click OK

2.  Explore and filter Security event logs for account deletion events for computer SID

  • Click "Security" under "Windows Logs" in left pane
  • In right pane under "Actions" choose "Filter Current Log..."
  • Enter the event ID 4743 in <All Event IDs> box to filter by category "Computer Account Management"
  • Checked events near the date and time reported by the tech (I believe you can sort further with other criteria, but I didn't have a lot of security events so it was just as easy to click on a few entries)
  • Located event with Target Computer Account Name matching the object's name followed by $
  • Copied the Security ID (SID) of the deleted computer given in the event (just above the Account Name)


3) Launch ldp.exe from an elevated (aka run as administrator) command prompt

  • Locate cmd.exe
  • Right click and "Run as administrator"
  • Type and then press enter: ldp.exe

4) Display the Deleted Objects container in Ldp.exe admin tool (taken from MS Technet, source listed at end of post)

  • On the "Options" menu, click "Controls"
  • In the "Controls" box, choose "Return deleted objects" from the "Load Predefined" drop-down menu
  • Connect and bind to the domain controller
    • Click "Connections" menu, click "Connect" and type the domain controller name
    • Click OK
    • Under "Connections" menu again, click "Bind" and choose "Bind as currently logged in user" (you'll need the proper rights to do this of course)
    • Click "View" menu, select "Tree" and for BaseDN type DC=<mydomain>,DC=<com> where <mydomain> and <com> are the appropriate names of your domain/AD DS environment
    • Double-click the root of the tree and find CN=Deleted Objects, DC=<mydomain>,DC=<com>, again where  <mydomain> and <com> are the appropriate names for your environment


5) Search in Ldp.exe for the SID

  • Click "Utilities" from the menu bar, and select "Sid lookup"
  • Enter or paste the SID from the Security event log found earlier in Step 2
  • Ldp.exe will return the current distinguished name of the object followed by SID, for example:

                CN=JenLaptop\0ADEL:91efb6d4-ecec-4e9a-a245-d7d9080e34a8,CN=Deleted
                        Objects,DC=austec,DC=com [S-1-5-21-1883794253-430958161-68370779-32434]

6) Restore the deleted computer to Active Directory UC (FYI you have to run Ldp.exe from an elevated command prompt to do this part, and must be a member of Domain Admins or equivalent to complete the procedure)

  • Right click in the results pane and select "Modify" in the popup menu
  • In DN, make sure the distinguished name for the object returned in the results list from the SID search is present (without the SID in brackets), for example (using name in example object above):

            CN=JenLaptop\0ADEL:91efb6d4-ecec-4e9a-a245-d7d9080e34a8,CN=Deleted
                    Objects,DC=austec,DC=com

  • In "Edit Entry Attribute" type isDeleted
  • Leave the "Values" box empty
  • Under "Operation" click Delete, and then click Enter button, just to the right
  • Now in "Edit Entry Attribute" replace isDeleted and type distinguishedName
  • In "Values" type the original distinguished name (aka DN) of the Active Directory object
  • Under "Operation" choose Replace
  • Check the box for Extended
  • Click Enter button again
  • Finally, click Run


7)  Check the results window for entry to ***Call Modify... to make sure it was successfully modified


8)  Last, go into Active Directory Users and Computers and look for the restored object.



Sources:

Work with Event Logs on a Remote Computer - https://technet.microsoft.com/en-us/library/cc766438(v=ws.11).aspx
4743 - A Computer Account was Deleted -
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4743
Viewing Deleted Objects in Active Directory - https://support.microsoft.com/en-us/help/258310/viewing-deleted-objects-in-active-directory
Restore a Deleted Active Directory Object - https://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx
How to Recover Deleted Object from Active Directory Using LDP.exe - http://techguyvijay.blogspot.com/2012/01/how-to-recover-deleted-object-from.html