Deep Recovery of Group Memberships in Active Directory

blog.payperitem.com,

If group memberships were lost after a restore, you may need advanced recovery techniques. Below are methods to deep recover group memberships, even if you don’t have a CSV backup or an Active Directory snapshot.

Scenario 1: Restore from Active Directory Database (NTDS.dit)

If you have a backup of the NTDS.dit file, you can extract group membership data from it.

Step 1: Locate the NTDS.dit Backup

  • If you have a full System State Backup, restore it to an isolated test environment.
  • If you don’t have a backup, check if your Shadow Copies still have an older NTDS.dit version: powershellCopyEditvssadmin list shadows

Step 2: Use DSAMAIN to Mount NTDS.dit

  1. Copy the NTDS.dit and registry SYSTEM hive to another location.
  2. Run: cmdCopyEditntdsutil
  3. Type: cmdCopyEditactivate instance ntds
  4. Mount the database: cmdCopyEditifm create full c:\ntdsrestore
  5. Use dsamain to load it: cmdCopyEditdsamain -dbpath c:\ntdsrestore\ntds.dit -ldapport 51389

Step 3: Query the Mounted Database for Lost Memberships

  1. Open LDAP Explorer (or PowerShell).
  2. Use this to search for old group memberships:
  3. powershell
  4. Get-ADObject -SearchBase "CN=Users,DC=domain,DC=com" -LDAPFilter "(memberOf=*)" -Server localhost:51389
  5. Compare the mounted database against your live AD to identify missing group memberships.

Scenario 2: Recover Group Memberships from SYSVOL Backups

If Group Policy or Restricted Groups was enforcing memberships, you can extract past data from SYSVOL.

  1. Navigate to: pgsqlCopyEdit\\domain.com\SYSVOL\domain.com\Policies\
  2. Look for GPO backup files:
    • Group.xml
    • Registry.pol
  3. Extract past memberships from XML logs.

If you find the GPO backup, restore it:

powershell

Import-GPO -BackupId "{GPO_GUID}" -TargetName "Recovered_GPO"

Scenario 3: Use Replication Metadata to Retrieve Lost Memberships

Even if group memberships were lost, Active Directory replication metadata might contain traces.

Step 1: Query AD Metadata

powershell

repadmin /showobjmeta domain.com "CN=RestoredUser,CN=Users,DC=domain,DC=com"

Look for:

  • Last Known Group Memberships
  • Deleted Attributes

Step 2: Restore Deleted Metadata Attributes

powershell

Get-ADObject -SearchBase "CN=Deleted Objects,DC=domain,DC=com" -IncludeDeletedObjects

Find the deleted “memberOf” attribute and manually reassign it.

Scenario 4: Extract Group Memberships from Old NTDS Backups

If you have an old AD database dump, you can extract binary LDF backups.

  1. Open LDP.exe.
  2. Connect to your old NTDS database dump.
  3. Run: cmdCopyEditldifde -f groupmembers.ldf -d "DC=domain,DC=com" -r "(objectClass=group)"
  4. Open groupmembers.ldf and find missing users.

Scenario 5: Reconstruct Memberships Using Event Logs

If you had Active Directory Auditing enabled, group membership changes might be recorded in Event Logs.

Step 1: Search Security Logs for Group Changes

  1. Open Event Viewer (eventvwr.msc).
  2. Navigate to Security Logs.
  3. Look for Event ID 4728 (Member Added) and 4729 (Member Removed).

Step 2: Extract Memberships Using PowerShell

powershell

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4729 } | Format-List

This will list who was removed from which group.

Scenario 6: Restoring Group Memberships via PowerShell Forensics

If no backups exist, PowerShell can help reconstruct past membership changes by searching for orphaned SIDs.

Step 1: Identify Orphaned SIDs in Groups

If a group previously contained a now-deleted user, it might still list an orphaned SID.

powershell

Get-ADGroup -Filter * -Properties Members | ForEach-Object {
    $_.Members | Where-Object { $_ -match "S-1-5-21-.*" }
}

This will show groups containing deleted members.

Step 2: Match Orphaned SIDs to Previous Users

If you have an old user SID list, compare it against the orphaned entries:

powershell

Get-ADObject -SearchBase "CN=Deleted Objects,DC=domain,DC=com" -IncludeDeletedObjects

Scenario 7: If All Else Fails – Reconstruct Memberships Manually

If you can’t recover membership from NTDS.dit, logs, or backups, your last resort is manual reconstruction.

Step 1: Ask Users or Check HR Records

  • Users often remember which distribution groups they were in.
  • HR records may contain role-based access control mappings.

Step 2: Use AD Role-Based Assignments

  • Check existing Group Policy Objects (GPOs) for role-based groups.
  • Use past Access Control Lists (ACLs) on shared folders.

Step 3: Recreate Groups Using Security Logs

If you know a timeframe, filter logs:

powershell

Get-WinEvent -LogName Security | Where-Object { $_.TimeCreated -gt (Get-Date).AddDays(-30) -and $_.Id -eq 4728 }

Final Verification & Best Practices

Once group memberships are restored:

powershell

Get-ADUser -Identity "RestoredUser" -Properties MemberOf | Select-Object -ExpandProperty MemberOf

For groups:

powershell

Get-ADGroup -Identity "RestoredGroup" | Select-Object -ExpandProperty Members

Future Prevention Strategies

  1. Enable AD Recycle Bin:
  2. powershell
  4. Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "domain.com"
  5. Daily Backups of Group Memberships:
  6. powershell
  7. Get-ADGroup -Filter * -Properties Members | Export-Csv "C:\AD_GroupBackup.csv" -NoTypeInformation
  8. Enable AD Auditing for Group Changes:
  9. powershell
  10. auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
Active Directory Server 2025 Windows

Related Posts

Customization in Snipe-IT

1. Custom Branding (Logo, Colors, and Favicon) You can change Snipe-IT’s appearance via the .env file: bashnano /var/www/snipe-it/.env Modify these lines: iniBRAND_NAME=”Your Company Name”APP_TITLE=”Your Custom Snipe-IT”APP_LOGO=/uploads/logo.pngAPP_FAVICON=/uploads/favicon.ico Then, upload your logo and favicon to /public/uploads/. Apply changes: bashphp artisan config:clearphp artisan cache:clear 2. Custom Login Page Background You can replace the…

Read More