Restore an account from AD
Today I ran into a situation where someone accidentally deleted an account by mistake. It is pretty easy to solve something like that when you have the right tools.
For this recipe, you will need:
- adrestore, a great tool from our friend Mark
- Admin rights on AD, to perform what you have to do
For your sake, AD keeps deleted record for 30 days by default. If it was an important account, there are great chances you notice it is missing before the 30 days. Past those 30 days, you will need to use the “standard authoritative” AD backup method.
Your application using the deleted account will complain and a query on AD reveals it is not there. Not a problem, just follow the 4 easy steps below:
1. Restore the missing account
adrestore.exe -r MissingAccount
Enumerating domain deleted objects:
cn: MissingAccount
DEL:eab4d5e6-493b-4a64-aae8-360e730a5938
distinguishedName: CN=MissingAccount\0ADEL:eab4d5e6-493b-4a64-aae8-360e730a5938,CN=Deleted Objects,DC=rgare,DC=net
lastKnownParent: OU=Service Accounts,OU=Users,OU=Montreal (MTL),DC=COMPANY,DC=net
Do you want to restore this object (y/n)? y
Restore succeeded.
Found 1 item matching search criteria.
2. Query to check its existence
dsquery user -name MissingAccount
“CN=MissingAccount,OU=Service Accounts,OU=Users,OU=Montreal (MTL),DC=COMPANY,DC=net”
3. Reset Password as restored account comes back empty
net user /domain MissingAccount Password
4. Activate Account
dsquery user -name MissingAccount| dsmod user -disabled no
dsmod succeeded:CN=MissingAccount,OU=Service Accounts,OU=Users,OU=Montreal (MTL),DC=COMPANY,DC=net
At this point and under 3 minutes, the deleted account is restored and ready to be used. It even kept its SID but you will have to repopulate some of its attributes such as Description and so on.
