O R G A N I C / F E R T I L I Z E R: finding where a user was deleted

Jan 11, 2006

finding where a user was deleted

on the activedir list today, tiroa yann posted steps on how to figure out where a user was deleted. here's the method. you'll need two tools to begin with: repadmin and adfind.
  1. adfind -default -showdel -f (isdeleted=TRUE) -gc
  2. repadmin /showobjmeta dcname deletedobjectDN | find /i "isdeleted"
the first command will output a list of all deleted objects. once you locate the object you want to look at, grab the string labeled "dn:". using the second command, replace dcname with the name of one of your domain controllers. replace deletedobjectDN with the string from the first command. make sure you put this string in quotations if there are any spaces in it. piping to find will output only the line with "isDeleted" as the attribute. now that you have the server and time/date, you can use any utility like eventcomb or psloglist to try to find the event id. tiroa suggested this command: psloglist \\dcname security -i 630 -a date. good stuff...