AD Undelete 2008R2 (Access is Denied)
In a previous blog I wrote about Deleted AD Objects and this one touches on that a little.
This morning a colleague of mine had a request to undelete a computer that had been deleted from the network.
Using powershell he attempted to recover the object but got an “Access is Denied” error.
Now, he does not have problems un-deleting other objects so its not an issue with the “deleted Objects”
OU and the object was not deleted very long ago so it has not dropped from the
Recycle Bin(default 180 days).
In fact he got the ObjectGUID by running the first part of the recover command using the Object Name.
So that means he can see the deleted object, he just can’t recover it. The account he is using is a Domain Admin account,
so why is he getting the Access is Denied message?
Not having all the information about the Object before it was deleted, I decided to check and see if I could find a
little more information about the Object. The “deleted Objects” OU is not viewable in most AD tools but you can use
LDP.exe to see the contents.
Start ldp.exe as an administrator.
Use the Connection menu in Ldp to connect and bind to a domain controller.
(Binding as logged on user if running LDP as administrator)
On the Options menu, click Controls.
In the Load Predefined list, click Return Deleted Objects.
Note: The 1.2.840.113556.1.4.417
control moves to the Active Controls window.
Under Control Type, click Server
, and the click OK.
On the View menu, click Tree
, type the distinguished name path of the deleted objects container in the domain where the deletion occurred,
and then click OK.
Note: The distinguished name path is also known as the DN path. For example,
if the deletion occurred in the contoso.com domain, the DN path would be the following path:
cn=deleted Objects,dc=contoso,dc=com
In the left pane of the window, double click the Deleted Object Container.
Note: As a search result of Idap query, only 1000 objects are returned by default.
For example, if more than 1000 objects exist in the Deleted Objects container, not all objects appear in this container.
If your target object does not appear, use ntdsutil, and then set the maximum number by using maxpagesize to get the search results .
A better option is to use the DN of the object you are looking for
Example:
CN=ComputerName\0ADEL:ce1dcaee-3041-4ece-aa9b-5fc3982d1afc,CN=Deleted Objects,DC=contoso,DC=com
This will give a lot more information about the object, including where the object came from.
lastKnownParent
Looking at this OU I found that for some reason Domain Admins was removed from the OU. After restoring the permissions , my colleague was able to recover the object
Super G
Write a comment
You need to login to post comments!