|
My understanding was also to limit the
search base to “CN=Deleted
Objects,DC=univ-lyon1,DC=fr" … ? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Hi joe, Just for my understanding, the command would be, using
my previous example: adfind -b
"CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted
Objects,DC=univ-lyon1,DC=fr" -showdel -f
"&(isdeleted=TRUE)(name=yann*)" . Right ? It try it and endeed, that works faster than dumping the
whole deleted users in a file.... "The whatever* is necessary for the
object rename that occurs.There are some objects that don't go to the deleted
objects container but instead remain in the container they were in when
"deleted". ..." if i
well understand, if i do not use (name=yann*) the command would probably not find yann because in
some situation the user could not be,bydefault, in the deleted objects
container ? Right ? If i misunderstand could you explain me again ? thanks joe. Yann De :
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joe Note that the adfind query will be a
trifle slow as that is going to have to walk every object in the directory, in
larger orgs that could easily time out so you will want to add the -t 0 option
to specify unlimited timeout. If you know the name of the object when
looking for it, I recommend sticking to the NC it existed in and then use
something like adfind -b Deleted_Objects_for NC_DN
-showdel -f "&(isdeleted=TRUE)(name=whatever*)" The whatever* is necessary for the object
rename that occurs. There are some objects that don't go to the deleted objects
container but instead remain in the container they were in when
"deleted". This mostly occurs on site type objects in the config
though, I have not seen a user configured that way though I don't think there
is anything preventing it but someone would have had to have known how to pull
it off. I haven't gone through this entire
extensive thread but I think it is about a missing user. There are a couple of
things it could be 1. User isn't missing, simply renamed.
Without GUID of old object, good luck figuring out which object it is now. 2. User isn't missing, simply moved to
another domain. 3. Object was deleted and the search for
it isn't being done properly or possibly this is in combination with 1and/or 2
above. 4. User was deleted and person searching
doesn't have rights to see deleted objects (easy to test). 5. Object was a dynamic object and timed
out and went away. Doubtful it occurred here. Nothing would lead me to believe
that someone was up on that capability enough to do it. I would start by doing the search as I
indicated above. If nothing found, I would dump all deleted user objects and
look at them. If that doesn't come up with it, I would expect someone renamed
it and possibly moved to another domain. Oh in specific reference to this "that wont work. You have to restore(reanimate) the
object from the Deleted Objects container back into AD to run repadmin
/showmeta GUID..... otherwise it won't work. i could be wrong.." That is incorrect, you can use the
<GUID=blah> format to see deleted objects. That is just a DN format
that AD accepts period. Make note that 2K doesn't do this as nicely as K3. I.E.
You would have to use
"<GUID=de52f5e3cbe996419037a039121df280>" instead of
"<GUID=E3F552DE-E9CB-4196-9037-A039121DF280>". Also note that
if you can find the object with adfind, use -extname and it will kick out the
extended SID and GUID names of the objects for you. I would honestly stop worrying about ldp
and repadmin and just sit down and find the object with adfind. If it is there
and the person doing the searching has permissions, they should be able to find
it. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Hi Tom, i used the following: if the user yann is deleted from AD: 1) adfind -default -showdel -f isdeleted=TRUE -gc >
del.txt to list all deleted users in del.txt (the -gc query the GCs, i
found it much faster to query gcs than dcs). 2) search for your user yann and pickup it's DN
"CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted
Objects,DC=univ-lyon1,DC=fr". 3) type repadmin /showobjmeta MYDC
"CN=dac\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted
Objects,DC=univ-lyon1,DC=fr" | find /i "isdeleted" to
localize the DC in which the deletion occured. Ex: here is the result of the command: 17730966
MYSITE\MYDC 17730966 2005-10-27 10:37:11 1 isDeleted You can see that the deletion occured at 10:37:11 AM
the 2005-10-27 on the DC "MYDC". 4) you can then use psloglist \\MYDC
security -i 630 -a 10/27/05 which shows u all deleted accounts occured
before the 10/27/05, or connect to MYDC to search in the event security log. If you can not find your user at the time, it may
be that an other domain admin has disabled the policy account applied by
default, so you may see with your peers to confirm this. hope it helps De :
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Tom Kern that wont work. You have to restore(reanimate) the object from the Deleted Objects
container back into AD to run repadmin /showmeta GUID..... otherwise it won't
work. i could be wrong.. Besides this won't help me figure out who deleted it or why the audit
wasn't logged. p.s.- i have the Forestry book and think its great and well worth the
hefty price.
On 1/10/06, Mark
Parris <[EMAIL PROTECTED]>
wrote: If I recall, he reset the permissions on the ou/container which holds
the deleted objects then you could query it with out reanimating anything. |
- RE: [ActiveDir] Strange deleted object issue Marcus.Oh
