Recovering OU from CN=Deleted Objects

[Guest]

I have googled myself crazy trying to find the answer to this. Before offering a solution please keep in mind the tape backup that would make this really easy was somehow corrupted

I deleted an OU that contained 60 accounts. None of the accounts were ever used on the domain. The usernames that were used are now currently needed (using alternate account names is for various reasons not a possible solution). The tombstone period is well expired

If I add a username (from the 60) to an AD group or a shared folder I can see their name and account is listed in the OU that was actually deleted, though it errors out saying the object can not be found when trying to "apply". If I search for one of the accounts It can only be found when "entire directory" is where the search is performed

Using LDP I can see the contents of CN=Deleted Objects. The OU is there, but the individual accounts are not (I am assuming they are not each enumerated). I tried "adrestore exe" from http://www.sysinternals.com/ntw2k/source/misc.shtml however the OU is the ONLY object not offered as a possible restore (a shortcoming of the vb prog used I believe but I am not yet talented enough to make the necessary change...this is one for the folks in SDK).

I tried using LDP to change the DN from
OU=Students\0ADEL:18b7e00e-3ba4-4029-8474-cf3185ed8703,CN=Deleted Objects,DC=<childDomain>,DC=<mydomain>,DC=co
to
OU=Students,CN=Deleted Objects,DC=<childDomain>,DC=<mydomain>,DC=co
but the error said: Error: ModifyRDN: No Such Object. <32
I could of course be formatting that wrong

The data is there so there has to be a way to restore it (keeping in mind the tape is no good)

TIA for any help
(e-mail address removed)

 

[Guest]

I forgot to add that, If deleting the OU from the CN=deleted Objects would allow me to then create the usernames again I would be more than happy with that solution

How does one "flush" the stuff in CN=Deleted Objects

 

[Deji Akomolafe]

You need to do an authoritative restore and restore only the OU object. Of
course you need a system State backup that goes back to BEFORE the deletion.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241594 tells you
EXACTLY how.

HTH

Deji

I have googled myself crazy trying to find the answer to this. Before

offering a solution please keep in mind the tape backup that would make this
really easy was somehow corrupted.

I deleted an OU that contained 60 accounts. None of the accounts were

ever used on the domain. The usernames that were used are now currently
needed (using alternate account names is for various reasons not a possible
solution). The tombstone period is well expired.

If I add a username (from the 60) to an AD group or a shared folder I can

see their name and account is listed in the OU that was actually deleted,
though it errors out saying the object can not be found when trying to
"apply". If I search for one of the accounts It can only be found when
"entire directory" is where the search is performed.

Using LDP I can see the contents of CN=Deleted Objects. The OU is there,

but the individual accounts are not (I am assuming they are not each
enumerated). I tried "adrestore exe" from
http://www.sysinternals.com/ntw2k/source/misc.shtml however the OU is the
ONLY object not offered as a possible restore (a shortcoming of the vb prog
used I believe but I am not yet talented enough to make the necessary
change...this is one for the folks in SDK).

 

[Guest]

Thank you for your reply. however, I did mention that I do not have a tape back up that can be used for this purpose

I am now wondering if there is a way to change the iSDeleted flag on the object and if that will effectlvely allow for it to be moved out of the Deleted objects container.

 

[Kevin Bowersock]

--------------------
| Thread-Topic: Recovering OU from CN=Deleted Objects
| thread-index: AcPUjF346gd0/CqLQcKf/i1UlzgEKA==
| X-Tomcat-NG: microsoft.public.win2000.active_directory
| From: =?Utf-8?B?QnVyY2hldHRl?= <[email protected]>
| References: <[email protected]>
| Subject: RE: Recovering OU from CN=Deleted Objects
| Date: Tue, 6 Jan 2004 11:36:23 -0800
| Lines: 5
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
| Path: cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa10.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:61532
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| I forgot to add that, If deleting the OU from the CN=deleted Objects
would allow me to then create the usernames again I would be more than
happy with that solution.

How does one "flush" the stuff in CN=Deleted Objects?

=====================================
|
198793 The Active Directory Database Garbage Collection Process
http://support.microsoft.com/?id=198793

Talks about setting your garbage collection to a lower value than the
nominal 60 days.
You could set this value down to a short interval and then let the garbage
collection "clean out" your deleted stuff.

A few things to note :
1. start with a system save ( even to a file if you have to)
2. you must have your Infrastructure master on a different DC than your
Global catalog for this to work.
3. If you set this value to a short time (say 1 or 2 days) you MUST get a
system state backup each day. Because this is setting your "tombstone" to
that value.
4. It would be a good idea to remove the setting ( returning it to default
60 days) or setting it to your desired tombstone life after you get your
deleted stuff cleaned out.


(e-mail address removed)
This posting is provided "AS IS"
with no warranties, and confers no rights