l +1 262-553-6510

Recover Group Memberships of Deleted User Account

This document describes how server support staff recover the group memberships of a user account that was accidentally deleted within the past 30 days. This procedure is written for an NT 4.0 domain. However, it could be modified slightly to work with Active Directory.

The document does not describe a recovery procedure for:
• A user who worked at the company, terminated, and then after some weeks or months decided to rejoin the company.
• A user who has not used an account for months and then discovers that it isgone.


GUID - Global User ID
PDC - Primary Domain Controller

Process Overview

1. On Monday, Wednesday, and Friday at 22:00 (10 PM), the PDC runs a process that:
• Gets a complete list of domain users via the addusers command.
• Runs a custom C++ program that turns addusers output into a list of GUIDs.
• Runs a process that gathers group memberships for every GUID in the list and appends that data to text file UserMemberships.txt.

2. When there is a need to recover group membership information, support staff retrieves the data from D:\UserDump\UserMemberships.txt on the PDC.


No way to recover group memberships
If a user account is accidentally deleted, there is no way to recover the account’s group memberships. A method was needed to keep at least a moderately current list of groups memberships to refer to in case of an accidental account deletion. The M-W-F PDC process is a response to the requirement for group membership information.

Group memberships for all trusted domains
The process created for the PDC retrieves group memberships for all domains in which domain that the PDC hosts has a trust relationship. The process must run on the PDC to ensure that the retrieval of group memberships works correctly.


This document assumes that you: 
• Are a server support staff person
• Have access to the D:\ drive on the PDC

If you need to change the process that runs on the PDC, you must:
• Have C++ programming knowledge
• Know how to use the addusers command from the NT Resource Kit

Before you start

• Have in hand the GUID associated with the accidentally deleted account.


Setup automated process on PDC

The source file contains source documents for the programs that run on the PDC.

1. Copy all of the files except the .cpp file into D:\UserDump on the PDC.

2. Schedule an AT job on the PDC to run at 22:00 every Monday, Wednesday, and Friday. The command to schedule is: D:\UserDump\DumpPDCUsersMembership.cmd

3. Run the AT scheduled job once and check the results to ensure that it works properly.
IMPORTANT: Be sure to not use task scheduler in the process or the AT job may become corrupted. Refer to QP0001 - Task Scheduler and AT Account Issues.doc for more details.

Making changes to the process

The .cpp file is the C++ source code for the custom .exe file. If this is edited, MinGW should be used to recompile it as MinGW will produce a native Windows.exe file requiring no other .dll files.

The .cmd file is programmed in batch language. Make sure to use change control to implement the change.

The scheduled AT job will not work if you changed the name of the .CMD file.Ensure that the AT job still works.

Determine an account’s group membership(s)

1. On the PDC, open folder D:\UserDump.

2. Open file UserMemberships.txt.
Result: The most current group membership information is in the file. Example of file contents:

User: [kahuna\sandy], is a member of:

Checking domain: kahunajane Checking domain: kahunabob
KAHUNA\Domain Users

3. Find the GUID whose account you want to restore and use the listed group
memberships to restore the account’s global group assignments.