你可以參考我原來寫的一個恢復域用戶的 PowerShell 脚本。
這個脚本部分代碼參考一個老外的 C# 代碼,不過引用 URL 暫時找不到,找到後補充上來。
此外這個脚本沒有考慮 OU 被意外刪除的問題,你需要自行修改代碼。
另外從你的描述看,似乎域存在同步問題,按理說用戶應該在所有 DC 都被刪除才是。
Add-Type -Path 'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll'
Add-Type -Path 'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll'
$root = [adsisearcher]'LDAP://RootDSE'
$root.Filter = '(&(isDeleted=TRUE)(objectclass=person)(objectclass=organizationalperson)(objectclass=user)(!(objectclass=computer)))'
$root.Tombstone = $true
$users = $root.FindAll()
if ($users -ne $null)
{
$ldapConn = new-object System.DirectoryServices.Protocols.LdapConnection($(([adsi]'LDAP://RootDSE').properties.dnsHostName))
$dam1 = new-object System.DirectoryServices.Protocols.DirectoryAttributeModification
$dam1.Name = 'isDeleted'
$dam1.Operation = 'Delete'
$dam2 = new-object System.DirectoryServices.Protocols.DirectoryAttributeModification
$dam2.Name = 'distinguishedName'
$dam2.Operation = 'Replace'
$newDN = ''
foreach ($user in $users)
{
$lkp = $($user.properties.lastknownparent)
if (![string]::IsNullOrEmpty($lkp))
{
$newDN = 'CN={0},{1}' -f $($user.properties.samaccountname), $($user.properties.lastknownparent)
}
$dam2.Clear()
[void]$dam2.Add($newDN)
$mr = new-object System.DirectoryServices.Protocols.ModifyRequest($($user.properties.distinguishedname), ($dam1, $dam2))
[void]$mr.Controls.Add($(new-object System.DirectoryServices.Protocols.ShowDeletedControl))
"User: $($user.properties.samaccountname)"
"IsDeleted: $($user.properties.isdeleted)"
"LastKnownParent: $($user.properties.lastknownparent)"
"NewDN: $newDN"
$response = $ldapConn.SendRequest($mr)
$response.ErrorMessage
}
$ldapConn.Dispose()
}
Folding@Home
