So this happened - disgruntled employee - deleting a bunch of users...

Discussion in 'Business & Enterprise Computing' started by NSanity, May 20, 2013.

  1. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,412
    Location:
    Canberra
    So we wake up this morning to a disgruntled ex-employee who has decided to delete a third of all the AD objects on a client's server.

    Was it accident? Well if you clear the logs 60-90 seconds after the objects were deleted - yeah well then no. Its a pity our remote access app logs you, your ip. Exchange logs you. AD RecycleBin also logs you.

    Hope you figured out a new career path - because you'll never ever work in IT again. The Police will be involved shortly, i hope you enjoy being persecuted to the full extent of the law.

    For those interested on how to restore... (Requires AD 2008R2 Functional Domain/Forest, ADRecycleBin turned on).

    Find the deleted items – using Administrator-elevated AD Powershell (in the Adminstrative tools panel)

    Get-ADObject -filter {isDeleted -eq "TRUE" -and ObjectClass -eq "user"} -IncludeDeletedObjects | | Format-Table -Property * -AutoSize | Out-String -Width 4096 | Out-File C:\deleted_items.txt

    What we care about is the DN (DistinguishedName) of the objects... In our case whenChanged was only visible from LDP.exe

    Now, to make Exchange happy - find your DC'd mailboxes.

    Get-exchangeserver | Get-MailboxStatistics | where { $_.DisconnectDate -ne $null } | select DisplayName,DisconnectDate

    We care about the DisplayName in this one

    Now to restore it

    Get-adobject –identity “DistinguishedName" -IncludeDeletedObjects | restore-adobject -newname "DisplayName"

    (obviously you need to change DistinguishedName and DisplayName to the appropriate values)

    You now have the object back in AD. Unfortunately tho, I think our current culpit pruned them from Exchange Management Console. Which will disable the account, then remove the mailbox (mark it for deletion).

    So you will now need to;

    1. Change the DisplayName in AD Users and Computers (remember, you need to use the EXACT DisplayName from Exchange, otherwise it will not find it).
    2. Add a “normal login” to go alongside the Pre-Windows 2000 login – for use I just used firstname, set the group to @contoso.local
    3. Re-enable the Account
    4. In the EMC (GUI is better because it finds the DC’d mailboxes, and will fill in the GUID of the mailbox) – list Disconnected Mailboxes from under Recipient Configuration, hit connect on the User, pick user mailbox, Find Existing (I think, it’s the definitely the first option), type in an Alias (use the samAccountname), hit Next, Then Finish.
    5. If there is mail flow options or AD groups (or basically any other settings) you will need to put them back – this includes the SBS login script. Not sure if it needs folders remapping – but the security should be fine as the User is the exact same as far as active directory is concerned.
     
    Last edited: May 20, 2013
  2. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,121
    Location:
    Rocky
    So you've had a fun start to the day :p Not sure how people think they can do this and not have it completely blow up in their faces...



    Also, we like to think that people will be persecuted to the fullest extent of the law, but unfortunately they're only prosecuted :(
     
  3. kombiman

    kombiman Dis-Member

    Joined:
    Dec 3, 2006
    Messages:
    11,466
    Location:
    viva brisvegas
    Out of interest what is the likelihood of Police being interested, of conviction and if convicted what penalty?
     
  4. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    34,997
    Location:
    Brisbane
    I guarantee you they'l be in a similar role within 6 months. I've seen it happen so many times, and it frustrates the hell out of me.
     
  5. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,121
    Location:
    Rocky
    Something like 'unlawful use of, modification to or impairment of a computer system' I would imagine.
     
  6. EMupp

    EMupp Member

    Joined:
    Dec 5, 2008
    Messages:
    1,462
    Damnit, I wanted to say that :p
     
  7. whitewolfx

    whitewolfx Member

    Joined:
    Sep 26, 2012
    Messages:
    214
    Every time i hear about these kinds of things happening, it shocks me. It makes me wonder what those people consider "professional".
     
  8. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    6,563
    Location:
    Briz Vegas
    Last century when I was programming I worked with a guy that was being sued for embezzlement, he had hacked a General Ledger code of a company and had dodgy $2 shelf companies invoicing the main company for years, was in the 100,000's.

    So while all this was happening he was employed as a contractor to program financial systems else where, with full knowledge on what he had done previously... WTF!
     
  9. EMupp

    EMupp Member

    Joined:
    Dec 5, 2008
    Messages:
    1,462
    Hah, look at you with your faith in humanity.
     
  10. Sphinx2000

    Sphinx2000 Member

    Joined:
    Sep 16, 2001
    Messages:
    6,533
    Location:
    Brisbane
    Daymn what a pain..
    So the "ex" employee still had access to a Domain Admin login, post or pre his "ex"ness.. :confused:

    Also, Which remote access app?
     
  11. resr

    resr Member

    Joined:
    May 18, 2004
    Messages:
    247
    Do you think IT needs a professional association or institute? I'm aware of SAGE-Au and a few other ones around the traps, but IT would have nowhere near the take up of other professions. I did a bit of town planning at uni and the PIA was spruiked pretty heavily. I have vague memories of an institute being talked about when I was studying engineering too.

    The number of 'tards in IT is demoralising at times.
     
  12. OP
    OP
    NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,412
    Location:
    Canberra
    He was in limbo. Made motions about leaving in a pretty clear way, but paperwork hadn't been sorted out. To the letter, he was still an employee.

    Teamviewer.

    Its all logged (session reports, ip, etc).
     
  13. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    12,695
    Think yourself lucky that he was a badmin, rather than a proper disgruntled admin, who might have done some real damage to the system on his way out.

    Thanks for the informative post on how to fix it as well.
     
  14. ^catalyst

    ^catalyst Member

    Joined:
    Jun 27, 2001
    Messages:
    11,821
    Location:
    melbourne
    God, dude must have been high. Really, what a complete nong.
     
  15. RyoSaeba

    RyoSaeba Member

    Joined:
    Sep 11, 2001
    Messages:
    12,279
    Location:
    Perth
    Couldn't you guys also done an authoritative restore?
     
  16. Karlston

    Karlston Member

    Joined:
    Dec 27, 2001
    Messages:
    151
    Location:
    Cabarlah - SE Qld
    I thought persecution was against the law... :)
     
  17. RyoSaeba

    RyoSaeba Member

    Joined:
    Sep 11, 2001
    Messages:
    12,279
    Location:
    Perth
    I think it's still ok in tasmania. :lol:
     
  18. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    34,997
    Location:
    Brisbane
  19. vader

    vader Member

    Joined:
    Jan 25, 2003
    Messages:
    2,470
    Location:
    Bathurst; NSW
    Out here its a very small IT community.
    Word has travelled fast.
     
  20. CordlezToaster

    CordlezToaster Member

    Joined:
    Nov 3, 2006
    Messages:
    4,057
    Location:
    Melbourne
    Thanks for sharing the steps you took to rectify it :).
    Appreciate it.
     

Share This Page