Performing Active Directory Tombstone Reanimation
October 10, 2018
With the exception of dynamic objects, when an object is deleted in Active Directory it is not immediately removed from the database. Instead a “tombstone” of the object containing a subset if attributes, including the SID, is placed in a hidden container called “Deleted Objects”. This allows for the possibility of restoring the user account, although this method should only be used if an authoritative restore and recycle bin cannot be used.
The length of time tombstones are kept depends on the operating system which created the forest to begin with. For Windows Server 2000 and 2003 it is 60 days. Whereas for Windows Server 2003 SP1 and above were set to 180 days. By default every 12 hours the garbage collector service comes along on each DC to permanently remove tombstones which have exceeded this duration. These values can be altered in ADSI Edit.
Tombstones can be “reanimated” using LDP, which is able to access the Deleted Objects container. Be aware that this will only restore a disabled account which with missing attributes and can produce unexpected results. Once restored a new password needs to be set and the account enabled. The process of reanimation requires making the following attribute amendments:
|distinguishedName||Replace||DN to the destination OU of the user e.g. CN=John Smith,OU=Accounts,DC=example,DC=com|
Follow these steps to recover a deleted user account using LDP.exe:
- Run “ldp.exe” on a DC, click “Connection”, “Connect…”, for the server specify the server name to connect to and click “OK”.
- Click “Connection” and choose “Bind…”, use the default option to connect as the current user and click “OK”.
- Click “Options”, “Controls” and then under “Load Predefined” choose “Return deleted objects” and click “OK”.
- Click “View”, “Tree” and set the “BaseDN” to “CN=Deleted Objects,DC=Your Domain” and click “OK”
- Expand the tree view for deleted objects and look for the object to reanimate.
- Right click on the object and choose “Modify”.
- In the “Attribute” textbox type “is Deleted”, select the “Delete” radio button and then click “Enter”.
- Clear the Attribute text box and enter “distinguishedName”, in the “Values” textbox enter the new DN for the user, e.g. CN=John Smith,OU=Accounts,DC=example,DC=com if the user was John Smith from accounts, click Enter and then “Run”.
- In AD Users and Computers you can find the account in a disabled state ready to have the password reset and enabled again.
Issues with Adobe Reader 2019.008.20071
October 9, 2018
Recently Adobe released a routine update for their flagship PDF reader Adobe Acrobat Reader DC. On the surface the biggest change users should have noticed was some fancy new icons, however a couple of nasty little bugs have also made an appearance.
The first bug that was reported to me was images emended within the documents were no longer printing and the second was the Save As option was greyed out. Thankfully there are a couple of work around which can be used whilst Adobe bring out their next update to resolve these issues.
How to resolve the images not printing
- Open a PDF to print
- Go to File and then Print…
- Click on Advanced and then check Print As Image
- Click OK and then Print
How to resolve the missing save functionality
Currently the best action to take to resolve this issue is to reinstall Adobe Reader, some may wish to take this opportunity to revert back to a previous version.