http://blogs.technet.com/b/ad/archive/2006/06/12/435501.aspxFor the first technical post I thought it would be best to lay the groundwork and mention a tool which can be used in a wide variety of AD replication scenarios. We'll talk about one of the useful features in this post, and follow up with one other foren-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/ad/archive/2006/06/12/435501.aspx#437062Sun, 18 Jun 2006 22:03:11 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:437062YannJust a little mistake in my repadmin command above. So just correct with the right user that is &quot;yann&quot; and not &quot;dac&quot;; the latter one was the user i had investigated last year in my AD environnement. <br>repadmin /showobjmeta DC1 &quot;CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=mydomain,DC=fr&quot; | find /i &quot;isdeleted&quot;. <br>Regards,<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=437062" width="1" height="1">http://blogs.technet.com/b/ad/archive/2006/06/12/435501.aspx#437059Sun, 18 Jun 2006 21:16:22 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:437059YannHello Tim, <br> <br>Thanks for clarification. <br>Endeed, when an object is deleted, in our case a user yann ;), the DN's changed to this one for example; <br>CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=mydomain,DC=fr. <br>Adrestore permits me to find this DN. And when we put all together with repadmin, the command looks like: <br>repadmin /showobjmeta DC1 &quot;CN=dac\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted Objects,DC=mydomain,DC=fr&quot; | find /i &quot;isdeleted&quot;. The results of this is: <br>17730966 SITE1\DC2 &nbsp;17730966 2005-10-27 10:37:11 &nbsp;1 isDeleted. <br>So u can find where and when a user was deleted. That works for me. <br>Why using the deleted object DN instead of guid ? <br>Because I remembered I was not able to work with the guid of the object , so i tried with the DN of the deleted object and that works fine. <br> <br>Regards, <br> <br>Yann <br> <br> <br><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=437059" width="1" height="1">http://blogs.technet.com/b/ad/archive/2006/06/12/435501.aspx#437049Sun, 18 Jun 2006 20:14:14 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:437049Tim Springston [MS]Thanks for the post! &nbsp;The above will work very well, but you may hit one snag. &nbsp;When an object is marked for deletion the distinguishename changes since it is then in the &quot;container&quot; for Deleted Items. &nbsp;So the repadmin command may struggle with that... <br> <br>But, your comment reminded me about being able to insert the objectGUID of te object in and track it that way. <br> <br>So, get the objectGUID of the object that was deleted and try using that. &nbsp;Just substitute the DN string entry for the syntax with this: <br> <br>&quot;&lt;GUID=guidnumber&gt;&quot; <br> <br>You can get the objectGUID by using LDP.EXE to view it, or by dumping the database using LDP.EXE. <br> <br>Let me know if I misunderstood something from your comment. &nbsp;Thanks again for reading! <br> <br>Tim<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=437049" width="1" height="1">http://blogs.technet.com/b/ad/archive/2006/06/12/435501.aspx#436909Sat, 17 Jun 2006 14:39:42 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:436909YannHi Ian, <br> <br>To figure out where a user was deleted (and how to reanimate it assuming u are in AD w2k3 *only*),you need 2 (free) tools: <br>-&gt; Adrestore, where u can donwload here <a rel="nofollow" target="_new" href="http://www.sysinternals.com/Utilities/AdRestore.html">http://www.sysinternals.com/Utilities/AdRestore.html</a> <br>-&gt; repadmin /showobjmeta dcname deletedobjectDN | find /i &quot;isdeleted&quot; <br>-&gt; and obviously, auditing already activated on your Default Domain Controler Policy :). <br>Here we go ! <br>Suppose that yann was deleted: <br>1) in a command shell, enter adrestore yann. Adrestore will query the tombstone to list all users deleted objects that contains &quot;yann&quot; in their CN. <br>Adrestore will also output the DN of the deleted user yann. Focus on the right yann. <br> <br>2)Enter the second command with repadmin and just replace deletedobjectDN by the one u found <br>with adrestore, and also replace dcname with the name of one of your domain controllers. Make sure u put the strings corresponding to deletedobjectDN in quotations if there are any spaces in it. Reapdmin will show u where(on which DC) and when(time/date) yann was deleted thanks to the &quot;isdeleted&quot; attribute that was piping. <br> <br>Next, go to your DC, and search for eventID 630 to find occurences corresponding to &quot;deleted object user&quot;. Done ! <br> <br>If u are in ad2k3 u can reanimate yann by entering adrestore -r yannn and choose the right user to restore. <br> <br>NB1: in order to use adrestore, u *must* be domain admins. <br>NB2: are u from Papeete tahiti ? because it's my homeland man ! I leave tahiti for now 10 years to France where i work in an AD &amp; Exchange team. So .... iaorana ! ;o) <br>NB3: for those whose wondering what i am talking about.... iaorana means both &quot;hello&quot; &nbsp;or &quot;goodbye&quot; in tahitian language, depending if u arrive or leave :). <br>NB4: Tim, thanks a lot for your blog. It will leverage our skills on the underground technology of AD . Keep up the good work ! <br> <br>Yann<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=436909" width="1" height="1">http://blogs.technet.com/b/ad/archive/2006/06/12/435501.aspx#435929Wed, 14 Jun 2006 22:40:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:435929IanCurtis <br>Looking at your blog, can I use this to see where a user account was deleted. &nbsp;I've got doubts about my office in Papeete. <br> <br>IC<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=435929" width="1" height="1">