I mistakenly deleted a user
account and only that account has
access to certain resources? Can I
change another account's SID to the
SID of the deleted account?
When an object (e.g., a user
account) is created, the OS gives it an
SID, which is stored in the objectSid
attribute of the object. If you try to
modify the attribute, even when running in the local system context, you
receive the error message that Figure
1 shows.
Essentially, the SID is owned by
the system, and a user can't change it
to a particular value. The ability to do
so would create a security vulnerability because changing the SID on an
object could give it access rights that
it shouldn't have.
If you have a system state backup,
you can perform an authoritative
restore of the deleted object, and the
restored object will have its original
SID. (For more information about
authoritative restores, see the Webexclusive article "How can I perform
an authoritative restoration of Active
Directory (AD) in Windows Server
2003?" December 2003, InstantDoc
ID 41170.
If no system state backup is available, and if the resource that you're
trying to obtain access to is a file, an
Administrator can take ownership of
the file then set whatever permissions
are needed. If the item is an AD object
or a service that uses AD, the Administrator can use the ADSIedit tool
(which is part of the Windows 2000
and later support tools) to take ownership, then set access permissions.
If you deleted the account within
the last 60 days, it's not actually gone from AD. Deleted
objects are marked
with a tombstone
prior to removal
from the directory
to allow replication of their deleted
state throughout the
enterprise. The Sysinternals Adrestore
utility, which you
can download
at http://www.sysinternals.com,
will restore the
tombstoned objects.
—John Savill
End of Article
Register
