Monday May 20th, 2019 14:15 The Case of the Unrestorable AD Account

So, funny thing happened to me today.

By “funny” I mean “so maddening I wanted to execute the original programmer so the evil bastard can’t breed.”

So, you know how when you delete an Exchange mailbox, the only warning it gives you is:

Do you want to delete “XXX”?

Turns out that also deletes the AD account.

Wait. Check that.

It instantly deletes and recycles the AD account, bypassing the tombstone waiting period.

So, I had cause to restore one this morning and I usually:

1. Open up LDP, connect everything and grab the GUID
2. Open up AD PS and run get-adobject with the -includedeleteditems switch, to make sure it’s still there
3. Restore-adobject -identity “[GUID]” [other necessary junk]

Simple.

Except I’m getting ‘Directory object not found’ or ‘Illegal modify operation’ or, ‘The requested delete operation could not be performed’ when I was ready to give up and kill the whole thing.

So, literally the only reasonable thing you can do, whether the account was deleted in Exchange on purpose or not, is to adjust the tombstone lifetime to 1, then wait until tomorrow. There’s a nice, straightforward guide on that here, if you’re not familiar.

And on another note, exactly how stupid is it that “isrecycled=true” means that something is no longer in the recycle bin. It makes logical sense with an *actual* recycling bin, as recycled items have to be removed first, but flies directly in the face of decades of training – from the same company – to read “recycled” as ‘still available somewhere’ while the word for ‘nope, you’re not getting that back’ is “deleted.”

Now, I know I could go through authoritative restore, but that was entirely too much to do after I’d wasted so much time on this nonsense, leaving it outside the parameters of “reasonable.”

Los Commentos, as the French say

Your name

Your email

Your URL

Whois

IT guy, dev, designer, writer.

Got a degree in print journalism from UF but history dealt some bad cards to that industry, so I moved back to an earlier love: the computer.

Was recently at ZMOS Networks, but am now the Senior IT Associate at the Edna McConnell Clark Foundation.

My name is moderately common, as are a couple screen names, so always look for the logo to make sure you're reading something with official Km approval.

You can get to me directly with kyle(@)kylemitchell.org