Well, we knew it was possible, but we didn’t know anyone would actually do it. Based on the title here, you probably already know that someone deleted a whole OU. Given that about 6-7 people could have done it and none were owning up of course you’re gonna’ get forced to figure out who it was. Well, let’s get started then.
First, restore the OU. To do this we’re gonna’ use the ldp.exe utility from the Windows Server 2003 Support Tools. THen we’re going to open it up and click on the Connection menu and connect to your DC (and authenticate as a Domain Admin or above of course). Then click on the Options menu -> Controls ->Load Predefined -> Return Deleted Objects -> Control Type -> Server -> OK. Then View -> Tree -> enter the DN for the missing container (eg if it’s the Users container of 318.com that would be cn=Users, dc=318, dc=com). Now right-click the OU -> Modify. Click isDeleted -> Delete -> Enter. If it’s not present, add lastKnownParent value and paste DN in Values. Click Operations -> Replace -> Enter -> Synchronous -> Extended -> Run. Then, click Controls -> Options -> Check Out.
Whew, but you’re not done yet. Now you have to reset passwords, profile settings, home directories and group memberships. Then re-enable them. YAY! So by now you’ve got to want to figure out who did this. So let’s do so.
First make sure the 2003 Resource Kit Tools are installed. To start grab the objectGUID. Then type:
repadmin /showmeta GUID=<YOUR GUID HERE> <FQDN DOMAIN NAME>
Now look for that isDeleted attribute we got rid of earlier. This will tell you which DC it came from and you can comb through the logs there using the time stamp from your repadmin command. Good luck and may God have mercy on their soul.