20

I'm working from a Windows 7 workstation, with PowerShell v2.0, and trying to delete a particular (orphaned?) object from the LostAndFound container in a 2008 R2 FL forest and domain with the Active Directory Recycle Bin enabled, and having no luck with anything.

Importantly, I need to delete this object, and this object only (rather than deleting every object with the IsDeleted property, which seems to be all I can find help on).

I need to delete it, because in order to resolve a broken trust relationship, the computer was disjoined from the domain (presumably causing the object to go to the Recycle Bin, and then to the LostAndFound container), and we'd like to give it its original name back (which is based on the asset tag number on the PC). Attempts to rejoin the computer to the domain with the correct name failed with the below error message (The specified account does not exist)

enter image description here

and attempting to rename it to the correct name once it's already on the domain fails with the below error message (The account already exists)

enter image description here

so the actual PC is currently sitting there with an incorrect name, which I need to rectify.

However, attempting to delete this AD object yields the error: The specified account does not exist. The distinguished name of the object has a \ (backslash) character in it, which I assume is due to it being in the LostAndFound container, and I'm wondering if that's the problem... and how to fix it. I'm running my shell as a domain admin, verified that domain admins group has full control and ownership of the object in question, and just can't seem to figure this one out.

The object in question (somewhat redacted):

Get-ADObject "CN=SomeComputer\0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv" -IncludeDeletedObjects -Properties *

accountExpires                  : 9223372036854775807
CanonicalName                   : MyEmployer.prv/LostAndFound/SomeComputer
                                  DEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6
CN                              : SomeComputer
                                  DEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6
codePage                        : 0
countryCode                     : 0
Created                         : 12/7/2012 9:25:30 PM
createTimeStamp                 : 12/7/2012 9:25:30 PM
Deleted                         :
Description                     : HP6300
DisplayName                     :
DistinguishedName               : CN=SomeComputer\0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=
                                  prv
dNSHostName                     : SomeComputer.MyEmployer.prv
dSCorePropagationData           : {5/21/2014 1:40:31 PM, 12/31/1600 7:00:00 PM}
instanceType                    : 4
isCriticalSystemObject          : False
isDeleted                       :
LastKnownParent                 : OU=Workstations,OU=Computers,OU=One of Our Sites,DC=MyEmployer,DC=prv
lastLogonTimestamp              : 130451668084269817
localPolicyFlags                : 0
memberOf                        : {CN=PCMilerComputers,DC=MyEmployer,DC=prv}
Modified                        : 5/21/2014 1:40:54 PM
modifyTimeStamp                 : 5/21/2014 1:40:54 PM
msDS-LastKnownRDN               : SomeComputer
Name                            : SomeComputer
                                  DEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  :
ObjectClass                     : computer
ObjectGUID                      : 90a13eaa-c7b0-4258-bebb-87b7aed39ec6
objectSid                       : S-1-5-21-1708945318-605057401-313073093-5882480
operatingSystem                 : Windows 7 Enterprise
operatingSystemServicePack      : Service Pack 1
operatingSystemVersion          : 6.1 (7601)
primaryGroupID                  : 515
ProtectedFromAccidentalDeletion : False
pwdLastSet                      : 130451667147545072
sAMAccountName                  : SomeComputer$
sDRightsEffective               : 15
servicePrincipalName            : {HOST/SomeComputer, HOST/SomeComputer.MyEmployer.prv}
userAccountControl              : 4096
userCertificate                 : [Not included]
uSNChanged                      : 54007434
uSNCreated                      : 5004556
whenChanged                     : 5/21/2014 1:40:44 PM
whenCreated                     : 12/7/2012 9:25:30 PM

Nothing I've tried seems to work, and I've tried a lot. On that note, what I've tried, below.

First, with a plain, one line PowerShell cmdlet:

Get-ADObject "CN=SomeComputer\0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv" -IncludeDeletedObjects | Remove-ADObject

Confirm
Are you sure you want to perform this action?
Performing operation "Remove" on Target
"CN=SomeComputer\0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
Remove-ADObject : The specified account does not exist
At line:1 char:145
+ Get-ADObject "CN=SomeComputer\0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv" -IncludeDeletedObjects | Remove-ADObject <<<<
    + CategoryInfo          : NotSpecified: (CN=SomeComputer\0ADE...MyEmployer,DC=prv:ADObject) [Remove-ADObject], ADException
    + FullyQualifiedErrorId : The specified account does not exist,Microsoft.ActiveDirectory.Management.Commands.RemoveADObject

Then, the same thing, referencing the GUID instead.

Get-ADObject "90a13eaa-c7b0-4258-bebb-87b7aed39ec6"  -IncludeDeletdObjects | Remove-ADObject

Confirm
Are you sure you want to perform this action?
Performing operation "Remove" on Target
"CN=SomeComputer\0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
Remove-ADObject : The specified account does not exist
At line:1 char:94
+ Get-ADObject "90a13eaa-c7b0-4258-bebb-87b7aed39ec6"  -IncludeDeletedObjects | Remove-ADObject <<<<
    + CategoryInfo          : NotSpecified: (CN=SomeComputer\0ADE...MyEmployer,DC=prv:ADObject) [Remove-ADObject], ADException
    + FullyQualifiedErrorId : The specified account does not exist,Microsoft.ActiveDirectory.Management.Commands.RemoveADObject

Then, reading the value into a variable first. (Tried with both GUID and DN, only showing one, as they yield the same error).

$blah = "90a13eaa-c7b0-4258-bebb-87b7aed39ec6"
Get-ADObject $blah -IncludeDeletedObjects | Remove-ADObject

Confirm
Are you sure you want to perform this action?
Performing operation "Remove" on Target
"CN=SomeComputer\0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
Remove-ADObject : The specified account does not exist
At line:1 char:60
+ Get-ADObject $blah -IncludeDeletedObjects | Remove-ADObject <<<<
    + CategoryInfo          : NotSpecified: (CN=SomeComputer\0ADE...MyEmployer,DC=prv:ADObject) [Remove-ADObject], ADException
    + FullyQualifiedErrorId : The specified account does not exist,Microsoft.ActiveDirectory.Management.Commands.RemoveADObject

Then I figured I could live with having to call DSRM instead of doing it natively.

dsrm "CN=SomeComputer\0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=Lost
AndFound,DC=MyEmployer,DC=prv"

Are you sure you wish to delete CN=SomeComputer\0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv
 (Y/N)? y
dsrm failed:CN=SomeComputer\0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv:The specified account does not exist.

Then I said to hell with making it automatable, I'll just right-click and delete it through ADSIedit.

enter image description here

So, finally, I'm swallowing my pride and asking here. How the hell do I get rid of this damn object? It clearly exists, and its existence is causing problems, yet all my attempts to delete it from Active Directory are met with lies, damned lies and error messages.

Update:

Other things that haven't worked, based on comments, suggestions and discussions with ServerFaulters:

Escaping the 0, as if the \0 represents a null byte.

Get-ADObject "CN=SomeComputer`0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv" -IncludeDeletedObjects | Remove-ADObject

Get-ADObject : No superior reference has been configured for the directory service. The directory service is therefore unable to issue referrals to objects outside this forest
At line:1 char:13
+ Get-ADObject <<<<  "CN=SomeComputer`0ADEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv" -Includ
eDeletedObjects | Remove-ADObject
    + CategoryInfo          : NotSpecified: (CN=SomeComputer ADEL...MyEmployer,DC=prv:ADObject) [Get-ADObject], ADException
    + FullyQualifiedErrorId : No superior reference has been configured for the directory service. The directory service is therefore unable to issue referrals to objects outside this forest,Microsoft.ActiveDirectory.Management.Commands.GetADObject

Escaping the whole \0A, as if it was a carriage return or new line, as in DOS (tried with `n, `r, `n`r and `r`n). All returned the same error, so only shown once.

Get-ADObject "SomeComputer`n`rDEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv" -IncludeDeletedObjects | Remove-ADObject

Get-ADObject : The object name has bad syntax
At line:1 char:13
+ Get-ADObject <<<<  "CN=SomeComputer`n`rDEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv" -IncludeDeletedObjects | Remove-ADObject
    + CategoryInfo          : NotSpecified: (CN=SomeComputer
DEL...MyEmployer,DC=prv:ADObject) [Get-ADObject], ADException
    + FullyQualifiedErrorId : The object name has bad syntax,Microsoft.ActiveDirectory.Management.Commands.GetADObject

Escaping the \0A as a form feed (yeah, getting a bit desperate).

Get-ADObject "CN=SomeComputer`fDEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv" -IncludeDeletedObjects | Remove-ADObject

Get-ADObject : Directory object not found
At line:1 char:13
+ Get-ADObject <<<<  "CN=SomeComputer`fDEL:90a13eaa-c7b0-4258-bebb-87b7aed39ec6,CN=LostAndFound,DC=MyEmployer,DC=prv" -IncludeDeletedObjects | Remove-ADObject
    + CategoryInfo          : ObjectNotFound: (CN=SomeComputer♀DEL:...MyEmployer,DC=prv:ADObject) [Get-ADObject], ADIdentityNotFoundException
    + FullyQualifiedErrorId : Directory object not found,Microsoft.ActiveDirectory.Management.Commands.GetADObject

Then I figured I should determine if the \0A character was even the problem, so I picked a different object I didn't care about in the AD Recycle Bin with the \0A string in it and tried to blow it away. It worked.

Get-ADObject -Filter { Name -Like '*DEL:*' } -IncludeDeletedObjects | Remove-ADObject

Confirm
Are you sure you want to perform this action?
Performing operation "Remove" on Target "CN=SomeServer-SomeJackass HP LaserJet 1320
PS\0ADEL:eddb23e7-b8d8-4d00-801f-22d82c169d66,CN=Deleted Objects,DC=MyEmployer,DC=prv".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

Confirm
Are you sure you want to perform this action?
Performing operation "Remove" on Target "CN=SomeServer-SomeJackass HP LaserJet 1320 PCL
5e\0ADEL:6e72e78f-f110-492c-ad50-91107f6fbd6a,CN=Deleted Objects,DC=MyEmployer,DC=prv".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • 4
    Questions on Server Fault must demonstrate a minimum understanding of the technology in question. **Otherwise, the post often turns into a discussion forum**, instead of straight Q&A. The best advice we can give you is to hire a consultant to help you out or do further research on the basics of this technology. – TheCleaner May 23 '14 at 18:24
  • Does `$C = Get-ADObject -Filter { Name -Like '*DEL:*' }` return only your orphan? If so, do `Remove-ADObject -Identity $C.DistinguishedName` That `\0` is a null terminator. – Ryan Ries May 23 '14 at 18:29
  • @RyanRies It does return only my object, but running that also returns the same `The specified account does not exist` error. For what it's worth, I've also tried treating the `\0` as a null byte (and escaping it), as well as treating the `\A0` as a carriage return/line break (as it is in DOS), also with no joy. Various attempts at guessing and escaping the `\A0` characters have been met with `The object name has bad syntax` and `Directory object not found`. :( – HopelessN00b May 23 '14 at 18:37
  • Bummer... I use that technique on conflict resolution objects (`'*CNF:*'`) all the time and it works perfectly. – Ryan Ries May 23 '14 at 18:40

3 Answers3

3

According to the Microsoft support engineer I spoke with... and the Microsoft engineer he escalated me to... and their manager, the short answer is that the only way to rid myself of this cursed object is to do an authoritative restore to before this object's appearance in the LostAndFound container. I'm convinced I could also rid myself of it by booting all the domain controllers to LiveCDs and manually editing the AD database, but short of those two non-options, I'm stuck with it.

As to how and why this is the case:

We ran a repadmin /showobjmeta against the object (to peek into its metadata) and were able to determine from the object's isDeleted version (2) that it was deleted, then unexpectedly and unsuccessfully/partially restored, which is what is causing the problem. It was suggested, and seems likely to me, that after the object was restored, but before the change had completely replicated, it was deleted again, along with its parent OU, causing the restore to fail, and resulting in it being considered an orphaned object by at least some of our domain controllers, landing it in the LostAndFound container.

As a result of the partial restore, it cannot be restored. As a result of the object's SAMAccountType being empty, it cannot be deleted (or modified).

The SAMAccountType attribute is a value that cannot be changed by any user, and attempting to do so throws the below error:

enter image description here

Operation failed. Error code: 0x209a
Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM).

0000209A: SvcErr: DSID-031A1021, problem 5003
(WILL_NOT_PERFORM), data 0

We can't restore the object to get the system (Security Accounts Manager) to set this attribute because of the partially-restored state it's in, and we can't delete it (or modify it) without a valid value for that attribute.

However, since this is too interesting of a case for me to simply walk away from, I'm going to poke around for a while and see if I can't come up with a way around this, or at least expand my knowledge of AD a little bit more in the attempt. Beats troubleshooting printers... and frankly, it turns out that a computer telling me "WILL_NOT_PERFORM" is a challenge I cannot resist.

Oh yes you will perform, dammit!

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
1

Based on this post, you may have to attempt deleting the object on specific domain controllers. You might try running your Get-ADObject with the -Server parameter in order to determine if the object is limited to specific DCs. Then I'd do the same with the Remove-ADObject.

Tim Ferrill
  • 428
  • 4
  • 8
  • That doesn't seem to be the problem, as both the DCs at my site do contain the object, and replication is humming a long properly, but it never hurts to do a thorough `repadmin` diagnostic (which I've been running since losing hope of it being a problem with the object name), so good answer... just not likely to be the answer here. When the diags complete, I'll update my post. – HopelessN00b May 23 '14 at 19:12
  • Seemed like a reasonable troubleshooting step anyway. Thanks for the up-vote. – Tim Ferrill May 23 '14 at 19:16
0

I have an idea that just might work, it might seem a bit simple or out of the ordinary, but if I remember correctly this has worked for me in the past with orphaned accounts. If you can determine the exact account name, the system you are working on is looking for, be it a user account or PC/Server account, try to temporarily create an account of the same type and the same name. So you are essentially filling in the blanks, so to speak and giving the system exactly what it wants.

So if it is a PC/server account, have a machine joined back to the domain with the exact name it is looking for, but only for the purpose of creating the account. Or if it is a user account recreate the user account with the exact same name,etc. you might need to run the command gpupdate /f in the command prompt to get the server to reconnect the newly recreated account with the orphaned OU.

Then proceed with trying to delete the orphaned OU you originally wanted to delete. Once you get the OU cleaned up, you can then delete account you created for this task.

I hope this helps you out cheers

Frank R
  • 141
  • 3