Retreive a Deleted/Recycled Computer Object

Similar Messages

• Bitlocker to Go and deleted computer object

  When encrypting a USB drive using Bitlocker to Go and storing the recovery information in AD, where does it get stored?  Is it in the computer object like regular Bitlocker?  If so, if the computer is retired or the AD computer account is deleted,
  do you lose the recovery information for that drive?

  Hi,
  Backed up BitLocker recovery information is stored in a child object of the computer object. That is, the computer object is the container for a BitLocker recovery object. If you delete a computer object from AD, you will also delete the BitLocker recovery
  information, which is a child object.
  But you can use AD restore mode to retrieve the deleted object.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Problems deleting computer objects-because of their subordinate objects

  We are running a 2008 R2 domain.  We have recently removed our techs out of Account Operators because we have read that is best practice.  Our techs now have problems deleting computer account objects that have the msmq active directory objects
  beneath the computer object.  Even if I give the techs full control permissions on those computer objects, they cannot delete them because they cannot delete the msmq subordinate AD objects.  The msmq objects are not showing a security tab, like
  other subordinate objects do.  If I delete the msmq objects with a Domain Admin account, then the techs can delete the computer objects.  Any ideas of how I can fix it so they can delete the msmq objects, without being Account Operators?
  Thanks,
  Dan Heim

  Hello,
  please see
  http://policelli.com/blog/archive/2009/11/06/understanding-adminsdholder-and-protected-groups/ and start with removing the flag for the mentioned accounts. Therefore see "Orphaned AdminSDHolder Objects" in the mentioned article.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Delete Computer object VS Disjoin

  Quick question on AD administration to help resolve an internal debate:
  We're running AD on Windows Server 2008 R2.  One admin states that "deleting doesn't remove all AD objects", and that you need to run a disjoin on the machine first to properly remove the Computer Object.  Can anyone confirm this? 
  Which is the correct way to remove objects in AD?
  It's my understanding that no matter what, you'll end up running a delete command, which marks the object as deleted; this gets replicated to all other DC's, and whenever the tombstone lifetime expires, then a cleanup process will finally and forever remove
  the tombstone objects.  If you don't run a "disjoin" command first, will there be any other lingering objects that need special care and consideration??
  Any info is appreciated.  Thanks much.

  Hi - This is _how_ it works:
  A domain unjoin comes down to the NetUnJoinDomain() API call documented at:
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa370644(v=vs.85).aspx
  There is two scenarios that can happen, either the account get's disabled (by default) if you unjoin using the UI, or it's not disabled leaving out the misnamed flag 'NETSETUP_ACCT_DELETE' that actually means disable and not delete.
  The computer account is only disabled regardless of the flag if the user that performs the unjoin has the rights to disable the computer account in AD, e.g write to the userAccountControl attribute.
  The computer account (object) in AD is never deleted from AD during a unjoin.
  How ever the importance of clean up here is that the computer accounts password is cleared from the LSA during a unjoin, so it can't be used to authenticate against AD in case that the computer account is NOT being disabled for one of the reasons mentioned
  above.
  Deleting the computer object from AD is like deleting any other object in AD, it stays for the TSL until it's ultimately removed from the database.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Deleted computer object from SCCM console, so why is it still appearing in SSRS reports?

  We recently divested about 400 computers from our network. I got a list of these computers and deleted them from both Active Directory and in the SCCM Console. I know the deletes were successful because when I search via device name in the SCCM console
  they no longer show up. Yet when I run one of our inventory reports in SSRS I still see several of the devices that I deleted listed there. I thought SSRS represented a" live view" of the SCCM database. If that's true then how can a computer object
  that I deleted in the console still be present in the database? Is there something I'm missing? 

  Okay you are saying to select from v_R_System_Valid instead of v_R_System in my query and that will automatically filter out items I removed in the console? Okay that sounds like what I want, the only problem is my query is selecting form v_GS_COMPUTER_SYSTEM.
  Can I just add "_Valid" to the end of that and achieve the same result?
  Update - Yeah no I tried that and it did not work. Clearly I have a very limited understanding of the SQL views. Interestingly enough Torsten I see you posted a linbk on your blog to a new Microsoft article that documents the SQL views in SCCM 2012. Looking
  at it now...

• Request for info regarding MAC address population in computer objects

   
  Hi,
  I am trying to determine how MAC address information is populated in computer objects. I had assumed initially that the hardware scan would be used, but observation shows this information
  to be obtained prior to any hardware inventory.
  I have laptops that are primarily connected via VPN, and before long their objects lose the internal network interface's MAC address. When I try to rebuild them, they fail to PXE boot. I have
  found that importing a CSV of host / MAC / SMBIOD GUID will update the object (rather than having to delete and recreate it) which works temporarily. The MAC will eventually disappear, and the device fail to PXE boot.
  I have thousands of these devices to manage, and it is already difficult enough having a CAS and two primaries (the windows Deployment Service on a DP only cares about devices in the DPs primary
  site, and so devices that move site are a real pain already, try finding that anywhere in the OSD reference documents!)
  I'm assuming now that this information is pulled from the actual client-server connection, and therefore is dynamic(ish), like IP information. If this is the case, more detail around that process,
  where to find evidence of  that process occurring would be very useful.

  The MAC is updated by hardware inventory and heartbeat discovery. 
  Torsten Meringer | http://www.mssccmfaq.de

• Managing multiple "old" AD computer objects

  So we have implemented a naming convention where the techs just select a location and department during the imaging process for a  machine that is about to be deployed; during that process and the computers are automagically named something like "NYC-FIN-1234567"...
  with 1234567 being the dell asset tag.... pretty nifty Johan(!)
  However... the problem is that once that machine gets re-imaged at the same location and deployed to another team like the marketing folks  (ie."MKT")... it gets the name NYC-MKT-1234567...
  the problem I am seeing is now we have multiple objects in AD with the same asset tag which is causing nightmares for licensing management... NYC-FIN-1234567 & NYC-MKT-1234567 respectively.
  I am working on a PowerShell script that will trim the names down to their respective tags and then compare the list for duplicates - then check  and compare the duplicates properties like "created date" and make a determination and delete
  the older object...
  this checking for duplicates is proving to be a little more difficult and haven't even gotten to the evaluate section yet...  I am still working on my proficiency when it comes to more complex arrays.
  am i going about this the right way or does anyone else have another approach to this conundrum?
  scripting games '14 anyone :p

  all good info!
  Since our AD has less than 3000 workstation objects the 'scaling' is manageable... but could make it a little faster, but alas here is what i have with a couple of tweaks
  i am skimming all computer objects in our 'workstation' OU... and dropping the first two prefixes, and then checking for machines that match... we were originally using "created date" but since we have workstations that have been imaged to say
  a FIN dept and then to a MKT dept and then re-re-imaged back to FIN... the created date doesn't change so i switched to Modified date, and keep the newest one...
  but also as another 'layer' of protection i test-path of the workstation (we run this middle of the day) before disabling it and moving it to a "temp" ou where we can let them sit for a couple weeks in case we had a false positive (thus the ping)
  we can quickly restore that object... i also can just comment out the actual "move and disable command" so it generates me a nice list of machines that would have been deleted so i can do a 'sanity check' before deleting a bunch of vip's machiens
  from AD :)
  #Declare Domain and OU to be Scrubbed - and $dupou is the ou we can let them 'chillout' before deleting on the next run
  $domain = "domain.com"
  $OU = "OU=Workstations,DC=domain,DC=com"
  $CleanupList = "c:\disabled.txt"
  $dupOU = "OU=Duplicates,OU=INACTIVE,DC=domain,DC=com"
  if (test-path $CleanupList) {Remove-Item $CleanupList}
  $delOK = "c:\DelOk.txt"
  if (test-path $delOK) {Remove-Item $delOK}
  #this is the TEMPORARY throttle cap... so it will stop after it finds the amount defined by $cap (so we can phase it in)
  $cap = 10000
  $Global:i = 0
  $sdate = (Get-Date)
  Write-Output "AD Duplicate 'Scrubber' Script started on: "$sdate >> $CleanupList
  Write-output "These Machines were disabled and moved to the Inactive\Duplicates OU in our domain" >> $CleanupList
  Write-Output "--------------------------------------------------------------------------------------------------------------">> $CleanupList
  $comps = (Get-ADComputer -filter * -Server $domain -SearchBase $OU).name
  ForEach ($comp in $comps) {
  if ($global:i -lt $cap) {
  #trim length to just asset tags (last 7 digits)
  $Length = $comp.Length
  $var = $Length - 7
  $tag = $comp.Substring($var,7)
  Write-host -ForegroundColor yellow "Testing asset tag: $tag"
  $x =(Get-ADComputer -Filter "name -like '*$tag'" -Properties DistinguishedName, Modified -Server $domain -SearchBase $OU |Sort-Object -Property Modified)
  if ($x.count -gt 1) {
  $y = ($x.count) -1
  while ($y -ge 1 ) {
  $z = $y - 1
  $x.name[$z] >> $CleanupList
  #added a ping feature to as another level of "protection"
  if (Test-Connection $x.name[$z] -Count 2 -Quiet){
  Write-Output $x.name[$z]" is Online... Skipping"
  $x.name[$z] >> c:\WTF.txt
  }Else {
  #this line below this one is the one that moves and disables... comment out if testing with a # sign or remove when testing compelete
  #Get-ADComputer $x.name[$z] | Move-ADObject -TargetPath $dupOU -PassThru | Disable-ADAccount
  Write-Output $x.name[$z]" is Offline... should delete"
  $global:i++
  $x.name[$z] >> $delOK
  write-host -ForegroundColor Cyan $x.name[$z]" Moved and Disabled - $global:i"
  $y--
  Write-host "------------"
  Write-host -foregroundcolor cyan "$i Computer objects were Disabled and Moved to $dupOU :)"
  #message in the body
  $msg ="Please review the attached list to see the Duplicate machines that were moved and disabled via this script"
  #Recipients
  $mailTo = "shad acker <[email protected]>"
  Send-MailMessage -SmtpServer smtp.domain.com -Attachments $delOK -Body $msg -to $mailTo -From "DuplicateFinder<[email protected]>" -Subject "Computer Duplicates Disabled" -Cc "who ever <[email protected]>"
  not the prettiest or most efficinent but it seems to be working :)

• How can i delete an java object immediately?

  Is there any mechanism that delete an object immediately?
  I know I can delete an java object by GC mechanism, but it can not be effective immediately.
  is there any other solutions?
  thanks -:)

  And you did an internet search to try and find out how to delete Java from your computer? Well, this forum is for Java programmers, people who write programs using the Java language. Not for people who use those programs. But it was a good try.
  The easiest thing for you to do is just to leave Java on your computer. It won't do any harm (aside from taking up a bit of space on your disk) and if you go to a web site that contains an applet, it might even be useful. Maybe that's why you got the link in the first place.
  If you really want to get rid of it, then go into Control Panel and use Add and Remove Programs to do that. (It's called something else in Vista, I forget what, hope you didn't get stuck with that.) But I would still suggest leaving it on your computer.

• I have an iphone and my daughter has an ipod.  She has all my contacts showing up on her ipod.  I deleted them and now they are gone from both.  is there any way of retreiving this deleted information.

  I have an iphone and my daughter has an ipod.  She has all my contacts showing up on her ipod.  I deleted them and now they are gone from both.  is there any way of retreiving this deleted information.

  When you share an iCloud account, any data you sync with the account is merged, and any actions you take on one device (such as deleteing contacts) is synced to all other devices sharing the account.  To avoid this, each person's device(s) should have a separate iCloud account with a separate ID.  (You can continue to share your iTunes account; it does not need to have the same ID as the one used for iCloud.)
  To create separate icloud accounts, decide which iPhone will be keeping the current iCloud account.  On the one that will be changing accounts, go to Settings>iCloud, scroll to the bottom and tap Delete Account.  (This will only delete the account from this phone, not from iCloud.  The phone that will be keeping the account will not be effected by this.)  When prompted about what to do with the iCloud data, be sure to select Keep On My iPhone.  Next, set up a new iCloud account using a different Apple ID (if you don't have one, tap Get a Free Apple ID at the bottom).  Then turn iCloud data syncing for contacts, etc. back to On, and when prompted about merging with iCloud, choose Merge.  This will upload the data to the new account.
  Finally, to un-merge the data you will then have to go to icloud.com on your computer and sign into each iCloud account separately and manually delete the data you don't want (such as deleting the other person's contacts from your account, and vice versa).
  As for recovering the deleted contacts, you can try restoring her phone from her most recent backup.  This may recover the contacts, however it often doesn't.  Restoring to an iCloud backup has to be done in the initial setup process.  If she have any data on your phone now that is not in the backup that she wants to save she will need to do that first.  Then go to Settings>General>Reset and tap Erase All Content and Settings.  You will then go through the setup screens as you did when the phone was new. When given the option, choose Restore from iCloud Backup.  Be sure you are connected to wifi and your charger as this will take some time to finish.

• AD System Group Discovery not updating System OU Name on computer object when computer moves OU

  2 related questions.
  1. We have noticed that computer objects (active clients) in ConfigMgr are not getting their System OU Name discovery data updated when a computer account is moved from one OU to another, and AD System Group Discovery runs. Since we are basing some of our Software Updates collections on AD OU name, these systems are not falling into their required collections.
  2. On a few occasions we are also seeing duplicate computer objects being created. One new record from AD System Discovery, which contains the correct 'new' System OU Name, and one 'old' computer object from before the computer account was moved to a different OU in AD. The heartbeat discovery of this second object is still updating e.g. showing new heartbeats, but the computer object still shows the old System OU Name from before the computer account was moved in AD. If we delete both objects and run a Discovery Data Collection Cycle from the client, and AD System Group Discovery, then we get one new record with the correct 'new' set of System OU names.
  This duplicates issue is happening in both our Central Primary Site and our other child Primary site. Both sites are set to create new client records for duplicate hardware IDs, and there is a possibility we're seeing the duplicate records on machines that have been re-imaged and redeployed at some point.
  It's my understanding that it is AD System Group Discovery that updates the System OU Name property on client objects. We have this set to run every 4 hours. I'm not seeing any errors in the adsysgrp.log. Any idea why discovery is not updating the System OU Name information when a computer account moves OU? As far as I understand it, nothing additional is required to happen from the client end for this property to get updated.

  The only thing I can think of would be ad sys group discovery not running at the site where the client is assigned to?
  "Everyone is an expert at something" Kim Oppalfens Configmgr expert for lack of any other expertise. http://www.scug.be/blogs/sccm
  HI Everyone..
  ANy reply or correct answer to this question???
  Same problem even i have. Duplicate machine names created when machine moved to different sites.
  And also, AD sys group discovery running on all the sites (i have 4 sites).
  System Security analyst at CapG

• I have a requirement where I have to give the list of users who can access a specific computer. I am new with PS. Do you have a script to list users that can access a computer object of AD ?

  I have a requirement where I have to give the list of users who can access a specific computer define in AD.
  I am new with PS.
  Do you have a script to list users that can access a computer object of AD ?
  I have executed the following script  but it does not give me the access rights of who can access the computer 'computername'
  How can i have this information. please help
  Import-Module activedirectory
  $computer=get-adcomputer "computername" -properties ntSecurityDescriptor
  $omputer.ntsecurityDescriptor.Access | select-object -expandproperty IdentityReference | sort-object -unique

  I would say that, since the OP has so little info, there are no policies in use.  It there were then this question would never be asked the way it is being asked.
  I had a client call with a letter from their insurance company; an accountant with malpractice insurance.  THey asked the same question inmuch the same way.  "What computer can you users access?"  The question should be more like
  "Do you have a policy that restricts access to computers and do you audit for compliance?"
  I have had other clients whose insurance asked the question in that way.  It produces a better view of what should be happening and how to show compliance.
  I recommend that companies being asked these questions by their legal departments or insurance companies should contract with a god computer security consultant to assist with answering these very tricky questions.  Of course if it is just you boss's
  curiosity  then you may need to discuss his requirements with him in more depth.
  ¯\_(ツ)_/¯

• *How to Delet one same object from different roles*

  I need to delete one auth object from different roles, Couls any one please advise me how can i do this and if there will be any complications involved with tis.
  Best regards:
  Maq

  In PFCG, it may be that you have added some objects manually. To remove them you will have to go to pfcg.
  Even if you first remove the objects from su24, you will have to go to all the roles through pfcg to generate them in expert mode by selecting the third option (edit old status and merge with new data)

• Health rollup to computer object from Microsoft.Windows.ApplicationComponent

  Hi All.
  Trying to author a Management Pack in Authoring Console 2007 R2. And can't get rollup to work as I want.
  Here's the long story.
  I've created:
  A discovery MP witch holds:
  - an abstract class inherited from Microsoft.Windows.Computer, named: "AppX.Cmp.Role"
  - a (seed?) class inherited from the above, named: "AppX.Cmp.Role.Server"
  - a class inherited from "AppX.Cmp.Role.Server" named "App.Cmp.Role.Server.Replicator"
  - a class inherited from "Microsoft.Windows.ApplicationComponent" named: "AppX.Cmp.Role.Server.Replicator.Loginstance"
  - a class of type "Microsoft.SystemCenter.InstanceGroup" named: "AppX.Group"
  - a relationship (system.hosting) where source class is "AppX.Cmp.Role.Server.Replicator" and target class is "AppX.Cmp.Role.Server.Replicator.Loginstance"
  - a registrydiscovery to discover "AppX.Cmp.Role.Server" targeted at "Windows.Operating.System"
  - a scriptdiscovery to discover "AppX.Cmp.Role.Server.Replicator" targeted at "AppX.Cmp.Role.Server"
  - a scriptdiscovery to discover "AppX.Cmp.Role.Server.Replicator.Loginstance" targeted at "AppX.Cmp.Role.Server.Replicator"
  - a groupdiscovery ("Microsoft.SystemCenter.GroupPopulator") target: "AppX.Group" (Microsoft.Windows.Computer)
  - a dependencymonitor targeted at "AppX.Cmp.Role.Server.Replicator" and monitor dependency set to "AppX.Cmp.Role.Server.Replicator.Loginstance", HealthRollup set to "worst state".
  A monitoring MP (depending on the discovery MP) witch holds:
  - a processmonitor targeted to "AppX.Cmp.Role.Server.Replicator" and "replicator.exe"
  - a logfilemonitor targeted to "AppX.Cmp.Role.Server.Replicator.Loginstance"
  - a stateview targeted to "AppX.Group"
  When I kill the "replicator.exe" process the object goes to unhealthy all the way up to "Windows.Computer". But when the logfilemonitor triggers and turns into "unhealthy state" the object in the above view turns RED but not the
  "Windows.Computer" object (looking at the default view "Windows Computers").
  Is it possible to get the "Windows.Computer" object to reflect the "AppX.Cmp.Role.Server.Replicator.Loginstance" state?
  How?

  Sorry about that - its been a long weekend.
  I was quoting from the following;
  "Use the Microsoft.Windows.LocalApplication as
  a base class when your class type represents a local application that shares the resources of the hosting Windows computer with other applications. Unlike theMicrosoft.Windows.ComputerRole class,
  the Microsoft.Windows.LocalApplication class
  type does not automatically roll its health up to the hosting computer."
  http://msdn.microsoft.com/en-us/library/ee533867.aspx
  Would you be able to upload the results if you run the Visio MP diagram generator and possibly the health explorer views and this will help me see how it hangs togther?

• Batch Delete on Custom Objects

  I have only just noticed that there is no batch delete on Custom Objects. I have read over the R16 release notes and I cannot see this as an enhancement, is anyone able to confirm if this functionality is actually included in R16.
  As this is only a few weeks away before we upgrade.

  Hi, I have an R16 account and i dont see the batch delete feature available for custom object :-(
  -- Venky CRMIT

• Mass Deletion of Rental Objects

  Hi,
  I have to delete all Rental Objects approx. 100+. Is there any way I can perform that quickly?
  Thanks
  Atif

  Hi,
  You can see two text boxes in the left pane of RE80 Transcation, In the first box enter "My Objects" Second text box enter "User ID of the Creator". Then system shows list of all rental objects, from which you can select and delete as explained above. These two boxes are visible only if you are using latest GUI.
  Note: In the customization of RE-FX. SPRO-> Tools->Archiving->Deletion of Real estate objects without Archiving check box should be flagged to delete objects.
  Thanks,
  B.