How do I restore a deleted Exchange 2007 user? or A funny thing happened on the way to a reconnect?

This post is the result of an experience one of my clients had.  I hope it helps other Exchange 2007 SP1 users.

Here is the scenario, a loyal administrator somewhere deletes Robert Smith when they meant to delete Roberta Smith.  It could also be that someone was confused by the ‘newspeak’ in the Exchange Management Console (EMC) and did not realize that ‘Remove’ equates to ‘Delete User’ not to ‘Remove Exchange Attributes’ under ‘Exchange Tasks…’ in the 2000/2003 Exchange extended ADUC and deleted the user object by mistake.  The conflicting terminology is another subject I will pass over here.

Your phone rings.  Easy right?  Just put it all back the way it was.  Well, it is a little more complicated than that.  Let’s get started…

If you have Exchange 2007 installed with the defaults, Robert’s mailbox is safe for the moment and should remain in the exchange database for 30 days.

The only short term consequence it that that new mail to Robert is getting NDR’s because he no longer exists either in Exchange or Active Directory.

So, the first task is to get Robert back in Active Directory.  If you are running AD 2003, this is most easily accomplished using the ADRestore utility written by Mark Russinovich.  Originally a Winternals tool, it is available from Microsoft as a free since Winternals was purchased by Microsoft.

From a command prompt, on a DC run ADRestore to find the deleted account:

C:\>adrestore “smith, robert”

AdRestore v1.1
by Mark Russinovich
Sysinternals –
www.sysinternals.com

Enumerating domain deleted objects:cn: Smith, Robert
DEL:5f9f2273-1302-4bbc-99b9-9aa6dd2ade6d
distinguishedName: CN=Smith\, Robert\0ADEL:5f9f2273-1302-4bbc-99b9-9aa6dd2ade6d,
CN=Deleted Objects,DC=pennic,DC=com
lastKnownParent: CN=Users,DC=pennic,DC=com
Found 1 item matching search criteria.

Now that you have found the deleted account, rerun the command with the -r option and restore it:

C:\>adrestore “smith, robert” -r

AdRestore v1.1
by Mark Russinovich
Sysinternals – www.sysinternals.com

Enumerating domain deleted objects:cn: Smith, Robert
DEL:5f9f2273-1302-4bbc-99b9-9aa6dd2ade6d
distinguishedName: CN=Smith\, Robert\0ADEL:5f9f2273-1302-4bbc-99b9-9aa6dd2ade6d,
CN=Deleted Objects,DC=pennic,DC=com
lastKnownParent: CN=Users,DC=pennic,DC=com

Do you want to restore this object (y/n)? y

Restore succeeded.

Found 1 item matching search criteria.

The AD account is restored but it is not 100%.  The important thing is that the account has the same SID and GUID and all Active Directory related function that utilizes these will still work.  Three dimensions of the pre-deletion account, however, are missing and one is different:

  1. The user is no longer mail enabled or mailbox enabled. There are some artifacts in that the attributes ms-ExchMailboxGuid, legacyExchangeDN, and ms-ExchHomeServer are still set.  Nonetheless, Robert is just a normal user.
  2. The user is no longer a member of any groups accept Doman Users.  AD group membership actually exists in the ‘group’ object(s).  The attribute memberOf is back populated based on those memberships.  When the account was deleted, Active directory deleted the users membership from each group. the restored user’s membersOf attribute is empty.
  3.  If the user had a primary group of anything other than Domain Users, that has also been lost and must be recreated after the user is added to the appropriate group.
  4.  The account is disabled

Items 2, and 3 must be repaired manually and can be done easily with ADUC although, depending on the complexity of your environment, you may need to do some sleuthing to determine the proper group memberships.  Microsoft KB840001 discusses the complexity involved in group membership recovery.

Item 4 is simple.  Enable the user before proceeding.

Item 1 should be easy too.  That mailbox is still there.  You just need to open the EMC, browse to the Recipient Configuration container, Disconnected Mailbox item, select the correct server, refresh the screen, select Robert’s mailbox, and reconnect Optimal Results.  Oops, this is where the problem starts.  It is not there?  Why?

My testing indicates that as of E2K7 SP1, only users deleted ( ‘removed’ — remember that terminology stuff ) using the EMC will appear immediately in the EMC as Disconnected Mailboxes.  A user deleted in ADUC whether extended with the Exchange 2003 ESM, or native, does not appear.  Also, even a user deleted using the EMC may ‘disappear’ soon after the account is restored using ADRestore.  I can only speculate on what is going on, but a disconnected mailbox that appears in EMC has the DisconnectDate attribute set: One that does not appear does not.  The EMC must set the attribute: ADUC does not.  Also, restoring the user object previously associated with the mailbox appears to clear the attribute.

In any case, all the mailboxes will appear as disconnected ‘later’ — as in the next day.  The once-a-day database maintance activity will identify mailboxes that do not have a cooresponding AD account and set the DisconnectDate.

This process can be started manually using the ‘Clean-MailboxDatabase’ cmdlet (analagous to ‘Run Cleanup Agent’ in the 2003 ESM). If your orginization has a lot of Servers and Mailbox Databases this can take a while unless you know what database the mailbox is in.

So much for conjecture — if it is not exposed in the EMC and Mail to Robert is still getting NDRs.  How do you get it back?

There are two options:

First, try the easy way — if you know what database the mailbox is in, fire up the Exchange Management Shell (EMS) and enter the following:

[PS]c:\>clean-mailboxdatabase <Mailbox Database Name>
Check the disconnected mailbox display in the EMC.  If the mailbox is esposed, use the EMC to reconnect it.  You are done.

If not, do the harder way — in the EMS enter the following:

[PS] C:\>get-mailboxdatabase | get-mailboxstatistics  |  select  Displayname,DisconnectDate,mailboxguid,database

This will give you a list of all user mailboxes with their GUIDs, and databases.  If you have 20 users this will be a useable list if you have 20,000, it will not.

You can pipe the output to a file:

[PS] C:\>get-mailboxdatabase | get-mailboxstatistics |  select Displayname,DisconnectDate,mailboxguid ,database>> c:\MyOutput.txt

Or filter on an attribute like display name to make it more manageable:

[PS]c:\get-mailboxdatabase | get-mailboxstatistics  | where {$_.Displayname -eq “Smith, Robert”} | select Displayname,mailboxguid,database
DisplayName       MailboxGuid                                                 Database
———–                ———-                                                       ——–
Smith, Robert      b61027c3-78ac-4b12-963d-c97f3fb30ed4  gemini-mbx\SG01\MBX01

Now you have the mailboxGUID of the disconnected mailbox and you know the database it is in (note: gemini-mbx is the virtual server on my SCC cluster).  You can now do the easy option since you know the database that contains the mailbox, or you can just connect it in the EMS.

To reconnect it:

[PS] C:\>connect-mailbox -database gemini-mbx.pennic.com\mbx01 -identity b61027c3-78ac-4b12-963d-c97f3fb30ed4 -user “Smith, Robert”
WARNING: The operation completed successfully but the change will not become effective until Active Directory replication occurs.

(Note: you must be specific enough to uniquely qualify the mailbox database. If all the databases were mbx01 then I would need to include the storage group.  Just one case, among many, for naming all mailbox databases in your organization uniquely.)

And you are done!

The reconnect mailbox-enabled the user account.  RUS will re-stamp the email addresses from email policy.

Wait for replication in AD and the mailbox should be useable.

Don’t forget, you still need to fix those group memberships.

Then you can sit back and wait for that phone to ring again.  It won’t be long, you are an Exchange Administrator.

Nick

4 Responses to “How do I restore a deleted Exchange 2007 user? or A funny thing happened on the way to a reconnect?”


  • That’s interesting and helpful…but my real problem is that I have a desktop team that deletes users BEFORE I have a chance to remove their mailbox.

    So, I have a user in the EMC (exchange 2007) that has NO AD User. Therefore, I’m left with a dilemma: 1) How do you identify users that exist in the EMC but not in Active Directory? 2) How do you get rid of them?

  • The command”

    C:\>get-mailboxdatabase | get-mailboxstatistics | select Displayname,DisconnectDate,mailboxguid,database

    Works, but I don’t see the person listed… So am I SoL?

  • Just wanted to say thanks for this! I found it very helpful.

  • Adrestore allow me to restore 2 accounts from AD. I used the get-mailboxdatabase from the Exchange Shell and was able to see the disconnected mailboxes. I connected and users were back to normal in less than 15 min after the mistake performed by another admin.

    THANKS FOR SHARING!! YOU SAVE ME!

Leave a Reply