Tracking OU Delete

[Chad Dollins]

Hi, I have W2K DC and someone deleted an ou that contained 500 computer
accounts in it. There were no proper backups of the directory because a
malfunctioning tape drive. We are rebuilding the ou from scratch visiting
each PC disjoining and rejoining the PC's to the DC.

First of all is there a faster way to do this rejoin task and can it be
automated? Maybe a third-party utility that can use host records to rejoin
or am I doomed to visit each computer and perform the disjoin (5 min) &
rejoin (5 min).

Second is there a good third party utility out there used to track the
logging information and pin point the responsible party for the deletion of
such an important OU.

--Chad

 

[Ace Fekay [MVP]]

In

Hi, I have W2K DC and someone deleted an ou that contained 500
computer accounts in it. There were no proper backups of the
directory because a malfunctioning tape drive. We are rebuilding the
ou from scratch visiting each PC disjoining and rejoining the PC's to
the DC.
First of all is there a faster way to do this rejoin task and can it
be automated? Maybe a third-party utility that can use host records
to rejoin or am I doomed to visit each computer and perform the
disjoin (5 min) & rejoin (5 min).

Second is there a good third party utility out there used to track the
logging information and pin point the responsible party for the
deletion of such an important OU.

--Chad

You can use a script to disjoin/join, but the p roblem remains that you need
to take care of everyone's profiles. I would just enter the computer names
instead of joining/disjoining. I believe that should work.

About the deletion, does your administrators have their own administrator
accounts or are they using the default administrator account? If using the
default, there will be no way to tell. If using their own accounts that are
administrators, which we usually recommend creating two accounts for each
admin, a plain Jane user account, and an administrative account, and enable
auditing, and audit directory service access and account logon events in
the Domain Controllers Group Policy. Then go into the domain's properties,
Security tab, Advanced, Auditing Tab, and select delete success and
failures. Results show up in the Security log in Event viewer.

If everyone is using the default admin account, then it's useless.

Do you have an older backup copy under 60 days old?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================

 

[Chad Dollins]

"Ace Fekay [MVP]"

In

You can use a script to disjoin/join, but the p roblem remains that you
need to take care of everyone's profiles. I would just enter the computer
names instead of joining/disjoining. I believe that should work.

I believe that all users have roaming profiles, so I'm not to worried about
the profile issue that you mentioned, unless I am not understanding what you
mean by profile. From my understanding the issues is that a new local
profile will be created for the user and none of the old local profile
information will be availble for new the profile that is created when a new
domain join occurs. Please enlighted me here if a roaming profile will not
solve the problem of rejoining a domain.

Furthermore, one of my first attempts to reconstruct our directory was to
make a computer in the OU with the same name, I even tried to create a
managed computer with a guid that I captured at boot from the pxe nic. The
computer didn't seem to respond to this and failed to authenticate to the
domain saying the domain was not available. If you know that you can create
an object in the directory with same name as the computer and the computer
will reassociate for sure, I will give this another shot, but my feeling is
that this not the case. What would be a good procedure here?

About the deletion, does your administrators have their own administrator
accounts or are they using the default administrator account? If using the
default, there will be no way to tell. If using their own accounts that
are administrators, which we usually recommend creating two accounts for
each admin, a plain Jane user account, and an administrative account, and
enable auditing, and audit directory service access and account logon
events in the Domain Controllers Group Policy. Then go into the domain's
properties, Security tab, Advanced, Auditing Tab, and select delete
success and failures. Results show up in the Security log in Event viewer.

Editing Audit Logs
Is there away that the individual could have deleted this log, and if so is
there a way to tell if this has happened. Someone told me to get a thrid
party utility to view directory logging such as this, but I've had no luck
in finding such a utility any suggestions would be much appreciated. A tool
like this seems like it would be of great value to IT security.

If everyone is using the default admin account, then it's useless.

Do you have an older backup copy under 60 days old?

Aparently the tape drive used for backing up the DC's were bad or the
operator misused them and rendered all tape backups useless for more than 60
days.
As of now we are stuck with the manual reconstruction of the Directory.

Thanks for your feedback.

--Chad

 

[Ace Fekay [MVP]]

In

I believe that all users have roaming profiles, so I'm not to worried
about the profile issue that you mentioned, unless I am not
understanding what you mean by profile. From my understanding the
issues is that a new local profile will be created for the user and
none of the old local profile information will be availble for new
the profile that is created when a new domain join occurs. Please
enlighted me here if a roaming profile will not solve the problem of
rejoining a domain.

Roaming profiles should take care of it.

Furthermore, one of my first attempts to reconstruct our directory
was to make a computer in the OU with the same name, I even tried to
create a managed computer with a guid that I captured at boot from
the pxe nic. The computer didn't seem to respond to this and failed
to authenticate to the domain saying the domain was not available. If
you know that you can create an object in the directory with same
name as the computer and the computer will reassociate for sure, I
will give this another shot, but my feeling is that this not the
case. What would be a good procedure here?

Domain not available? If the computer account it corrupted or out of sync,
you'll get another message about the computer account having a problem. My
feeling on this is that you may have a DNS misconfiguration either on the
DCs and/or your clients.

Can you post the exact message?
Can you post an *unedited* ipconfig /all please from the DC and from one of
your clients?

Editing Audit Logs
Is there away that the individual could have deleted this log, and if
so is there a way to tell if this has happened. Someone told me to
get a thrid party utility to view directory logging such as this, but
I've had no luck in finding such a utility any suggestions would be
much appreciated. A tool like this seems like it would be of great
value to IT security.

If Auditing on the Domain Controller Security Policy is set to log System
Events, then Event ID# 517 is generated when someone deletes a log:
http://www.eventid.net/display.asp?eventid=517&eventno=55&source=Security&phase=1

There are other 3rd party tools to help you as well, such as centralizing it
and making it easier to understand what the events are, besides the link I
just posted above. Just google for " event logs auditing". I found a few
that way.

Aparently the tape drive used for backing up the DC's were bad or the
operator misused them and rendered all tape backups useless for more
than 60 days.
As of now we are stuck with the manual reconstruction of the
Directory.
Thanks for your feedback.

--Chad

That is unfortunate, Chad.

Ace