RE: [ActiveDir] Strange deleted object issue

[joe]

Correct, limit search to the deleted objects container when possible. Some objects (objects marked with systemflags & 0x02000000 which is still misdocumented as something that will be deleted immediately though I have submitted multiple changes for it...) will not be moved upon delete. They will stay in their current container.   However, note, I just tested (should have done this before) and it won't let me create a user with that flag (the bit gets cleared) so it looks like users should always go to the DO container. I expect if I looked at the source I would see a handy XOR op clearing any bits MSFT doesn't want set on systemflags for user objects and that would be one of them.     joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 12, 2006 6:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange deleted object issue My understanding was also to limit the search base to “CN=Deleted Objects,DC=univ-lyon1,DC=fr" … ?   :m:dsm:cci:mvp  marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Thursday, January 12, 2006 3:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange deleted object issue   Hi joe,   Just for my understanding, the command would be, using my previous example:   adfind -b "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr" -showdel -f "&(isdeleted=TRUE)(name=yann*)" . Right ?   It try it and endeed, that works faster than dumping the whole deleted users in a file....   "The whatever* is necessary for the object rename that occurs.There are some objects that don't go to the deleted objects container but instead remain in the container they were in when "deleted". ..."  if i well understand, if i do not use (name=yann*) the command would probably not find yann because in some situation the user could not be,bydefault, in the deleted objects container ? Right ? If i misunderstand could you explain me again ?   thanks joe.   Yann size=2 width="100%" align=center tabIndex=-1> De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joe Envoyé : jeudi 12 janvier 2006 01:52 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Strange deleted object issue Note that the adfind query will be a trifle slow as that is going to have to walk every object in the directory, in larger orgs that could easily time out so you will want to add the -t 0 option to specify unlimited timeout.   If you know the name of the object when looking for it, I recommend sticking to the NC it existed in and then use something like   adfind -b Deleted_Objects_for NC_DN -showdel -f "&(isdeleted=TRUE)(name=whatever*)"   The whatever* is necessary for the object rename that occurs. There are some objects that don't go to the deleted objects container but instead remain in the container they were in when "deleted". This mostly occurs on site type objects in the config though, I have not seen a user configured that way though I don't think there is anything preventing it but someone would have had to have known how to pull it off.   I haven't gone through this entire extensive thread but I think it is about a missing user. There are a couple of things it could be   1. User isn't missing, simply renamed. Without GUID of old object, good luck figuring out which object it is now. 2. User isn't missing, simply moved to another domain. 3. Object was deleted and the search for it isn't being done properly or possibly this is in combination with 1and/or 2 above. 4. User was deleted and person searching doesn't have rights to see deleted objects (easy to test). 5. Object was a dynamic object and timed out and went away. Doubtful it occurred here. Nothing would lead me to believe that someone was up on that capability enough to do it.   I would start by doing the search as I indicated above. If nothing found, I would dump all deleted user objects and look at them. If that doesn't come up with it, I would expect someone renamed it and possibly moved to another domain.   Oh in specific reference to this   "that wont work. You have to restore(reanimate) the object from the Deleted Objects container back into AD to run repadmin /showmeta GUID..... otherwise it won't work. i could be wrong.."   That is incorrect, you can use the <GUID=blah> format to see deleted objects. That is just a DN format that AD accepts period. Make note that 2K doesn't do this as nicely as K3. I.E. You would have to use "<GUID=de52f5e3cbe996419037a039121df280>" instead of "<GUID=E3F552DE-E9CB-4196-9037-A039121DF280>". Also note that if you can find the object with adfind, use -extname and it will kick out the extended SID and GUID names of the objects for you.   I would honestly stop worrying about ldp and repadmin and just sit down and find the object with adfind. If it is there and the person doing the searching has permissions, they should be able to find it.     joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, January 11, 2006 4:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange deleted object issue Hi Tom, i used the following:   if the user yann is deleted from AD:   1) adfind -default -showdel -f isdeleted=TRUE -gc > del.txt  to list all deleted users in del.txt (the -gc query the GCs, i found it much faster to query gcs than dcs). 2) search for your user yann and pickup it's DN "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr". 3) type  repadmin /showobjmeta MYDC "CN=dac\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=univ-lyon1,DC=fr" | find /i "isdeleted"  to localize the DC in which the deletion occured. Ex: here is the result of the command:   17730966 MYSITE\MYDC 17730966 2005-10-27 10:37:11 1 isDeleted You can see that the deletion occured at 10:37:11 AM the  2005-10-27 on the DC "MYDC". 4) you can then use psloglist \\MYDC security -i 630 -a 10/27/05  which shows u all deleted accounts occured before the 10/27/05, or connect to MYDC to search in the event security log.   If you can not find your user at the time, it may be that an other domain admin has disabled the policy account applied by default, so you may see with your peers to confirm this.   hope it helps size=2 width="100%" align=center tabIndex=-1> De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Tom Kern Envoyé : mercredi 11 janvier 2006 01:24 À : ActiveDir@mail.activedir.org Objet : Re: [ActiveDir] Strange deleted object issue that wont work. You have to restore(reanimate) the object from the Deleted Objects container back into AD to run repadmin /showmeta GUID..... otherwise it won't work. i could be wrong..     Besides this won't help me figure out who deleted it or why the audit wasn't logged.     p.s.- i have the Forestry book and think its great and well worth the hefty price.     On 1/10/06, Mark Parris <[EMAIL PROTECTED]> wrote: If I recall, he reset the permissions on the ou/container which holds the deleted objects then you could query it with out reanimating anything. -----Original Message----- From: Tom Kern <[EMAIL PROTECTED]> Date: Tue, 10 Jan 2006 17:03:11 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange deleted object issue I thought to do that you first have to reanimate the object from the Deleted Objects container before you can search on the GUID. The deletion occured in a Win2k forest. I think what you are talking about you can only do in a WIn2k3 DFL forest. Besides, that will only tell me the DC and time the isDeleted attrib was set. It wont tell me the user or process that deleted it. thats what i really need and as my DC's seem to mysteriously stopped logging event id 630 or 565, i'm screwed. thanks alot On 1/10/06, Mark Parris <[EMAIL PROTECTED]> wrote: Use repadmin to check the objects metadata, can usually find the DC where the deletion occured and also who did it. The Active Directory forestry book by john craddock is an excellent resource for this type of AD audit. -----Original Message----- From: Tom Kern <[EMAIL PROTECTED] > Date: Tue, 10 Jan 2006 15:53:18 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange deleted object issue It logged the creation/deletion. My question is- i've always had this policy set and yet an account got deleted last nite and i can't find any record of it. the security logs have not been cleared and are set to stay for 7 days. still i know a user account ended up in the deleted objects container with a whenChanged date of 20060109202458. someone/thing must have deleted it and there is no entry in the event logs of any DC. what gives? Thanks On 1/10/06, Coleman, Hunter <[EMAIL PROTECTED] > wrote: Create a user account, then delete it. Note which DC you're connected to for the delete, then check the security log on that DC. Look at all of the events around the time you deleted the account so that you'll know what is actually getting logged. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Tuesday, January 10, 2006 1:23 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange deleted object issue Yes. Thanks. I just have 2 issues. 1. I don't understand why i get that error in ldp when i enter the oid control for deleted objects 2. Most importantly, i had audit account management enabled for sucess and failure on my domain controllers ou and auditing enabled for everyone for everything on the entire domain object, yet when i use evencombMT to scan for an event id 630 in the security log, i get nothing. this account was deleted last nite so something should show up with this auditing enabled, no? do i have to set some other security policy like audit directory service access as well? I figured account management should cover deleting a user object. Thanks On 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote: I've deleted the rest of the thread already, but did you not already say you found him in the deleted items using ADFIND -showdel? Or did I misread that and you're still looking for him? On 1/10/06, Tom Kern <[EMAIL PROTECTED]> wrote: I'm just using ADUC and searching by sAMAccountName. With LDP, i'm looking in Deleted Objects container but this company never deletes users accounts, just disables them indefinetly so all i see in that container are linkTrackOMTEntry objects. How can i see if the user was renamed? I got a call from help desk that this user couldn't log in and they couldn't find him in AD using ADUC which i confirmed. he's been witht the corp for 5 years and i was assured he always had an account. Thanks On 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote: how do you know he's missing exactly?  I mean, are you sure the account wasn't changed for example?  Maybe renamed somehow? When you search, how are you searching exactly? On 1/10/06, Tom Kern <[EMAIL PROTECTED]> wrote: I have this weird issue- A user object is missing from my win2k native mode domain. I know because this user has complained that he can't log in and i can't find the object anywhere in AD. I've checked the deleted objects container in AD with ldp and he is not in there as well. He's not in the Lost and Found container either. His exchange mailbox is oprhaned in ESM. Sometime last nite this user was deleted but i have no way of finding him.  we don't have auditing turned on for that but i figured if an object was deleted it would definetely be in the deleted objects container. is there anyway to bypass that? where else can i look? Any help would be great because this is just plain bizzare. Thanks List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/