RE: [ActiveDir] Accounts disappearing from AD

[joe]

Yeah adfind will look at deleted objects. Do a search like   adfind -showdel -b dc=domain,dc=com -f name=name*   So for instance if I am looking for the account joedeletetest   F:\DEV\cpp\AccExp>adfind -showdel -default -f name=joedeletetest*   AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com   dn:CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted Objects,DC=joe,DC=com >objectClass: top >objectClass: person >objectClass: organizationalPerson >objectClass: user >cn: joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197 >distinguishedName: CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted Objects,DC=joe,DC=com >instanceType: 4 >whenCreated: 20050330052740.0Z >whenChanged: 20050330052811.0Z >uSNCreated: 1773671 >isDeleted: TRUE >uSNChanged: 1773678 >name: joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197 >objectGUID: {5EBBC64E-41ED-4E9D-9776-C13827A31197} >userAccountControl: 512 >objectSid: S-1-5-21-1862701446-4008382571-2198042679-18526 >sAMAccountName: joedeletetest >lastKnownParent: CN=Users,DC=joe,DC=com >dSCorePropagationData: 20050330052811.0Z >dSCorePropagationData: 20050330052811.0Z >dSCorePropagationData: 20050330052811.0Z >dSCorePropagationData: 16010108151056.0Z   1 Objects returned     Note I was logged onto the domain I wanted to look in so I could shortcut -b dc=domain,dc=com with -default   You will note that the name is the old name with \0ADEL:OBJECTGUID so you will need to say name*. You could also do samaccountname=userid if you want though.   When changed will tell you when it was deleted. If you have 2K3 you can look at the msDS-ReplAttributeMetaData which will tell you where the object was deleted at.   F:\DEV\cpp\AccExp>adfind -showdel -default -f name=joedeletetest* msDS-ReplAttributeMetaData   AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com   dn:CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted Objects,DC=joe,DC=com >msDS-ReplAttributeMetaData: <DS_REPL_ATTR_META_DATA>         <pszAttributeName>objectCategory</pszAttributeName>         <dwVersion>2</dwVersion>         <ftimeLastOriginatingChange>2005-03-30T05:28:11Z</ftimeLastOriginatingChange>         <uuidLastOriginatingDsaInvocationID>d69be175-f343-4937-95d5-aa9efb2fa32b</uuidLastOriginatingDsaInvocationID>         <usnOriginatingChange>1773678</usnOriginatingChange>         <usnLocalChange>1773678</usnLocalChange>         <pszLastOriginatingDsaDN>CN=NTDS Settings,CN=2K3DC01,CN=Servers,CN=MainSite,CN=Sites,CN=Configuration,DC=joe,DC=com</pszLastOriginatingDsaDN> </DS_REPL_ATTR_META_DATA>   >msDS-ReplAttributeMetaData: <DS_REPL_ATTR_META_DATA>         <pszAttributeName>lastKnownParent</pszAttributeName>         <dwVersion>1</dwVersion>         <ftimeLastOriginatingChange>2005-03-30T05:28:11Z</ftimeLastOriginatingChange>         <uuidLastOriginatingDsaInvocationID>d69be175-f343-4937-95d5-aa9efb2fa32b</uuidLastOriginatingDsaInvocationID>         <usnOriginatingChange>1773678</usnOriginatingChange>         <usnLocalChange>1773678</usnLocalChange>         <pszLastOriginatingDsaDN>CN=NTDS Settings,CN=2K3DC01,CN=Servers,CN=MainSite,CN=Sites,CN=Configuration,DC=joe,DC=com</pszLastOriginatingDsaDN> </DS_REPL_ATTR_META_DATA> <SNIP>   Just look at the originating DSA for the lastKnownParent attribute.   Also if you have K3, you can use admod to restore that ID back and maintain the current SID, however anything scrubbed in the delete process you will need to put back manually like group memberships, etc.     [Wed 03/30/2005  0:32:46.26] F:\DEV\cpp\AccExp>adfind -showdel -default -f name=joedeletetest* -dsq |admod -undel   AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   DN Count: 1 Using server: 2k3dc01.joe.com Undeleting specified objects...    DN: cn=joedeletetest\0adel:5ebbc64e-41ed-4e9d-9776-c13827a31197,cn=deleted objects,dc=joe,dc=com...   The command completed successfully   [Wed 03/30/2005  0:36:50.23] F:\DEV\cpp\AccExp>adfind -showdel -default -f name=joedeletetest   AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com   dn:CN=joedeletetest,CN=Users,DC=joe,DC=com >objectClass: top >objectClass: person >objectClass: organizationalPerson >objectClass: user >cn: joedeletetest >distinguishedName: CN=joedeletetest,CN=Users,DC=joe,DC=com >instanceType: 4 >whenCreated: 20050330052740.0Z >whenChanged: 20050330053650.0Z >uSNCreated: 1773671 >uSNChanged: 1773719 >name: joedeletetest >objectGUID: {5EBBC64E-41ED-4E9D-9776-C13827A31197} >userAccountControl: 514 >badPwdCount: 0 >codePage: 0 >countryCode: 0 >badPasswordTime: 0 >lastLogoff: 0 >lastLogon: 0 >pwdLastSet: 0 >primaryGroupID: 513 >operatorCount: 0 >objectSid: S-1-5-21-1862701446-4008382571-2198042679-18526 >adminCount: 0 >accountExpires: 0 >logonCount: 0 >sAMAccountName: joedeletetest >sAMAccountType: 805306368 >lastKnownParent: CN=Users,DC=joe,DC=com >objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com >dSCorePropagationData: 20050330053650.0Z >dSCorePropagationData: 20050330053650.0Z >dSCorePropagationData: 20050330053650.0Z >dSCorePropagationData: 20050330052811.0Z >dSCorePropagationData: 16010108151056.0Z   1 Objects returned         joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 29, 2005 10:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Accounts disappearing from AD How do you know when the accounts when missing?   Generally it would be a very bad thing for an account to go missing without a trace. I mean, at a minimum if it were deleted it would be stripped of attribute information and sent to the deleted objects graveyard.  You would be able to look there and see the tombstoned items if that were the case using this method http://support.microsoft.com/?kbid=840001#6 .   I was thinking that some of Joe's tools would let you look at this as well, but can't remember at the moment.   Al   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, March 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Accounts disappearing from AD In the past 2 months I’ve had 4 accounts that have just disappeared without a trace from AD. I’ve turned up auditing on all my Domain controllers but I haven’t been able to find anything relevant.   I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors but they have been fixed and none of the errors went past 60 days. I also don’t have a lot of group policies running or scripts that run (I just recently inherited this environment) also I’ve made sure only a select few people have rights to the Directory.   Has anyone seen this or had accounts that just seem to vanish?   Thanks in advance.   Mike