Home > Active Directory > How to Restore Deleted Machine accounts\Active Directory ADRESTORE\Unicode-pwd\searchFlag

How to Restore Deleted Machine accounts\Active Directory ADRESTORE\Unicode-pwd\searchFlag

February 6, 2008 Leave a comment Go to comments

Within our production environment, we had an Admin accidentally delete his Departmental OU in AD.  Within this OU there were Machine accounts associated with servers and desktops.  The delete caused the orphaned machines to lose the ability to login to the domain.  There are several ways to restore the lost AD objects.

  • Perform an AD LDIF import (Not recommended)
  • From each workstation, remove and re-add the machines to the Domain (ugly)
  • Perform an AD Authoritative Restore – AD Restore Mode (uglier)
  • Perform an object restore using ADRESTORE (Recommended, but with prerequisites)

I recommend doing the last option, however, you must prep your AD environment to have a certain attribute set within the AD Schema configuration.

The ADRESTORE tool is a very useful tool,  but in the case of deleted/restored machine accounts there is one missing attribute that prevents a reanimated machine account from functioning.

By default a tombstoned object does not contain the password (Unicode-pwd) and thus the reanimated computer account’s password value will not match the password held on the workstation.  This is why you cannot login in to a workstation when the machine account is deleted.

By changing the value of the searchFlag attribute on the Unicode-pwd schema object from 0 to 8, the Unicode-pwd will be preserved in the tombstoned object and will be present when the object is reanimated.  (In other words, the machine accounts’ password will be restored along with the machine account using ADRESTORE.)  The searchFlag attribute’s value can be adjusted using ADSI edit on the schema naming context on the Unicode-pwd object.  Once the object is restored, all that is left is to “Enable” the machine within AD.   You should not have to touch the workstation\server.  In most cases, the machine doesn’t even have to be rebooted, functionality should be fully restored.

Updated: There is a new feature in Windows 2008 R2, called the Active Directory Recycle Bin.  This is a win for Microsoft and allows for reanimating deleted objects.  Very Cool feature. (http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx).  For those of you still on Windows 2003 or 2008 standard, you will have to follow the above recipe.

Best of Luck!

image

Categories: Active Directory
  1. Tina
    February 13, 2012 at 7:33 AM
    Reply

    This is great, however we found this after the fact. We had accidently deleted a server from our domain. We restored it with the ADRestore. Of course we couldn’t log into after the fact. On the server itself we removed it from the domain and re-connected it to the domain but now it will not show up in AD at all.

  2. jan prucha
    April 13, 2012 at 8:44 AM
    Reply

    Thank you for your advice. Unfortunately, does not work for me.
    Our environment is 2003 native. I’ve set searchFlags attribute on Unicode-pwd schema object from 0 to 8, than waited 1 day. Than I deleted one computer object, recreated it using adrestore -r, enabled it. Unfortunately no luck, noone can logon to the computer, computer says Error : The Security database on the server does not have a computer account for this workstation trust relationship.

    What am I doing wrong?

    thanks jan

  3. edmckinzie
    April 15, 2012 at 8:27 PM
    Reply

    Unfortunately, if you are running native Windows 2003 Domain Functional level you likely have to set the searchFlag attribute on the Unicode-pwd schema object from 0 to 8 prior to reanimating any deleted objects. In other words, restoring is not an option on macihne accounts deleted prior to setting the flag. This is my understanding anyway……this may have changed in native 2008\2008 R2 Domain\Forest functional level, though.

  1. No trackbacks yet.

Leave a comment