4

Is it possible to restore lost users after Active Directory unistallation ? (I forgot to switch users to local users) The computer run Windows Server 2008 R2 Entreprise, and all the registry linked to the user i want to restore seems to still be there, user's folder is still on the harddrive, and useraccount2 still show the user (But flagged as unknown user)

Some folders still have rigts set to this lost user, and even the local default Admin account cannot open/delete the folder. (But the real problem here is to find how to recover users account, the folder can be deleted an other way)

All users i want te restore was originaly local users, converted to domain users after Active Directory installation.

I think that if i can change user's sid (choosing the sid manually) i'll be able to easily recover rights on folders

Regards

Zulgrib
  • 353
  • 5
  • 17

5 Answers5

6

As you are apparently not interested in the user objects themselves but only the associated data and profile information, this should work:

  1. take ownership and reset filesystem permissions of every profile directory (C:\Users by default - if you had local profiles in place)
  2. create your new local users and log them on interactively once - new profile directories and references get created during this step
  3. change the filesystem permissions of your old profile directories to include Full Access for the respective newly created users

If you are not interested in the users' settings which were stored in the registry but only need to migrate the user data, just either copy the relevant data (presumably stuff like Documents, Desktop or Downloads) out of the old profile directories into the newly created ones yourself or let the users do it (you've granted them access in step 3.). If you need the settings as well, there is more work to do:

  1. log off the users you just logged on
  2. run the Registry Editor (regedit.exe) as an administrative user to modify the ProfileImagePath value of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID> subkey so your newly created user objects would map to your old AD users' profile directories
  3. restart your machine to make sure all profiles have unloaded
  4. log on your new users - you should see error messages and erroneous behavior all along - this is due to the fact that you've changed the filesystem permissions for the profile, but permissions on the profile's registry are still too restrictive
  5. run the Registry Editor (regedit.exe) as an administrative user to add Full Control for the respective users' registry permissions. The user's registry profiles are loaded into HKEY_USERS\<SID> and HKEY_USERS\<SID>_Classes regkeys. You would need to be able to identify the <SID>-subkeys and map them to your user's names to set permissions - you could do it by retrieving each user's SID and matching them against the list of course, but a much simpler approach is to look up the USERNAME value within the HKEY_USERS\<SID>\VolatileEnvironment key.
  6. restart the machine again and log on the users - you should be good now

Now depending on the number of users you want to re-create, this can be an awful lot of work - consider scripting the whole procedure then.

Oh, one more important thing: since you seem to be the type to forget taking backups before making significant changes, try to think of it this time and

make sure you have an easily accessible backup beforehand.

This would be especially necessary if you have no significant experience in handling profiles or using registry editor, as in this case you are rather likely to screw things up beyond all repair.

Oh, and you can't set SIDs of created user or group objects - not even programmatically. For migration purposes, there is the sIDHistory attribute, but population of this one is restricted to the use of the DsAddSIDHistory function - which requires a functional source domain (which you don't have) and an AD user object as the destination (which you don't have either).

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • This is the most helpfull answer for me, in order to retrive rights on folders, and this is the answer that will save me a lot of time after my fail (because i didn't made a backup, i totally failled and i now have this problem) Thanks to everyone – Zulgrib Nov 12 '12 at 23:34
5

The actual users are gone. That's what all the warning notices were about when you removed active directory.

Your options are pretty much recover the AD domain controllers from backups made prior to removing AD or accepting that the users have gone and settling for recovering their data; Laurentiu's answer is correct in that regard, you just need to read it carefully. Prior to 'editing rights' for the user folders as you talk about. you need to take ownership of the folders if you need to get to the data.

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
  • 4
    +1 - This is the correct answer and is a rather polite way of saying "You're screwed, pull your backups and start restoring" – MDMarra Nov 12 '12 at 19:31
1

I don't think you can log in as that user. But as a local admin you can change ownership of that folder (including subdirectories and files) and than access them.

Laurentiu Roescu
  • 2,246
  • 16
  • 17
  • Hello, local admin cannot edit rights for this folder, it was owned by the old local admin (before AD install/unistall) The biggiest problem are the lost users i'm trying to recover – Zulgrib Nov 12 '12 at 19:18
  • @Zulgrib If you take ownership, as Laurentiu states, you'll be able to change the ACLs as needed. – jscott Nov 12 '12 at 19:57
  • http://technet.microsoft.com/en-us/library/cc753659.aspx – Laurentiu Roescu Nov 12 '12 at 20:07
  • Hello, thanks for the doc, it worked, but not with the default admin account, i don't know why, however it worked with a newly created admin account. The folder is correctly deleted – Zulgrib Nov 12 '12 at 21:52
0

Like RobM has said...you are probably out of luck.

I really don't think it will help, but if you want to try "migrating" the SIDs to an actual account you can try this software: http://www.forensit.com/domain-migration.html

I have used it to migrate local accounts TO domain accounts, but never to try what you are attempting...but it might allow you to reactivate that local SID that isn't associated with a user account. Not sure.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • I tested the tool you linked, it didn't solvec anything, but they are very insteresting and will keep preciously the link. Thanks you – Zulgrib Nov 12 '12 at 23:35
0

I don't think you can change an Active Directory domain user's accounts SID, as the SID is a system-only property, so the option to change a user's SID is not a viable one.

One possibility might be to try and use a Windows Access Token Viewer to see what all groups a user belonged to, and based on that information, you could try and re-provision access.

There's a good discussion on How to view an Active Directory / Windows domain user's access token? in case this helps.

Good luck to you. It seems like you may have to just pull your backups and perform an auth restore.

Armen
  • 1
  • You are indeed correct -- [you cannot change an account's SID](http://serverfault.com/questions/53717/how-can-i-change-the-sid-of-a-user-account-in-the-active-directory) – voretaq7 Nov 17 '12 at 03:27