I mistakenly deleted a user
account and only that account has
access to certain resources? Can I
change another account's SID to the
SID of the deleted account?
When an object (e.g., a user account) is created, the OS gives it an SID, which is stored in the objectSid attribute of the object. If you try to modify the attribute, even when running in the local system context, you receive the error message that Figure 1 shows.
Essentially, the SID is owned by the system, and a user can't change it to a particular value. The ability to do so would create a security vulnerability because changing the SID on an object could give it access rights that it shouldn't have.
If you have a system state backup, you can perform an authoritative restore of the deleted object, and the restored object will have its original SID. (For more information about authoritative restores, see the Webexclusive article "How can I perform an authoritative restoration of Active Directory (AD) in Windows Server 2003?" December 2003, InstantDoc ID 41170.
If no system state backup is available, and if the resource that you're trying to obtain access to is a file, an Administrator can take ownership of the file then set whatever permissions are needed. If the item is an AD object or a service that uses AD, the Administrator can use the ADSIedit tool (which is part of the Windows 2000 and later support tools) to take ownership, then set access permissions.
If you deleted the account within
the last 60 days, it's not actually gone from AD. Deleted
objects are marked
with a tombstone
prior to removal
from the directory
to allow replication of their deleted
state throughout the
enterprise. The Sysinternals Adrestore
utility, which you
will restore the