One of the most frustrating things that can happen in a centralized network environment such as Active Directory is the deletion of one’s user account. I have never given much thought or had any sort of plan in place for the situation of an accidental account deletion, but on Sunday evening, such an event occurred.
For a few months Chris and I had been toying with the idea of using Exchange to replace IMail as our primary local email server. I toyed with the idea, Chris toyed with Exchange on a virtual domain controller (as a Domain Admin, he’s allowed). Sunday evening it was decided that if we ever did use Exchange we would have to start over anyway, so he proceeded with removal. To remove Exchange Server requires the removal of the mailboxes associated with it. Somehow in the process of removing mailboxes, Chris managed to remove my entire Active Directory account. I was unaware of the removal at first, but a few minutes after it occurred, my laptop asked me to re-authenticate myself to the domain. I was about to do it when Chris advised me that it might not be such a good idea. I was obviously quite pissed when I found out what happened.
Upon discovering that my account was deleted I immediately did something equally as stupid, I created a new account with the same name, complicating everything. First of all, I forgot that Active Directory keeps a trashcan of discarded objects for at a minimum of 12 hours before objects are permanently removed. Everything went downhill from there. I assumed that it would be much easier to just simply create a new account than it was to try to reanimate the tombstoned object. I believed this based on the fact that throughout the network all of my rights are based on the fact that I am a member of Domain Admins and Administrators, not my individual rights to objects. I was only half right. My rights to other users’ files and to the machines themselves are derived from my membership in the groups. My access to my files was through my user account itself. That wasn’t too bad to fix, I just had to take ownership of the files and then assign myself permissions to the objects (time consuming, but not hard). As for my user profiles, those for the most part are contained in the files each machine maintains about me and only 2 computers really care that I exist, my laptop and my primary server. I use my desktop so little that I wouldn’t notice if I was loaded on a default profile. On the server I did the usual steps, logged in to my new account and then used an adminsitrator account to copy the old profile over the new one. This worked great on the server, but on my laptop (where it matters), this little trick didn’t go over so well. I managed to somehow end up in a user environment that was non-functional, I didn’t have permissions to use explorer (means no control panel, no My Computer, no anything). After repeated attempts to correct the flaw I found that no matter what I did, the account still wasn’t functional, which meant that Windows had managed to corrupt its understanding of me somewhere on that name vs. security ID border. After too many hours of fighting with it, I took the plunge and reinstalled Windows.
The moral of the story is simple, if you find yourself deleted from Active Directory, it is much easier to go dumpster diving in LDAP than to recreate yourself in the image of your previous self.