> BTW, Win2003 SP1
has updated some search flags, so as to add the SIDhistory and Password
attributes to the tombstone (I believe this
> is only valid
for new installation of AD).
Actually, not quite.
For sidHistory, the SP1 change in behavior works for existing installations juts
as well as existing ones. However, to be safe, we didnt actually modify
searchFlags. Instead, we added sidHistory to the list of attributes we always
preserve on tombstones no matter what the schema tells us we should (there is a
list so that you cant subvert replication and strip off more than should be
allowed). This was deemed safer than modifying your schema out from under you on
SP upgrade. I tend to agree.
This of course leads to
the fact that non-SP1 DCs will strip sidHistory where SP1 will keep it. This was
well understood, but we did not want a schema change for SP1. So we figured, it
was this or wait for Longhorn. We went with this as being better than
nothing.
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Grillenmeier,
Guido
Sent: Monday, July 11,
2005 7:08 AM
To:
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep existing
attributes from users restored.
realize that this
search-flag can't be applied to all attributes (e.g. linked attributes such as
member/memberOf) => as such you will always require a combination of actions
to successfully recover users to a previous state. If you do want to
leverage the tombstone reanimation feature of 2003 (such as leveraged by
SysInternal's adrestore), you'll have to have mechanisms in place to recover
attributes which you can't contain in the tombstone
object.
BTW, Win2003 SP1 has
updated some search flags, so as to add the SIDhistory and Password attributes
to the tombstone (I believe this is only valid for new installation of AD).
These are the ones that other third-party tools which help with re-populating
the missing attributes can't rewrite after tombstone revival occures => as
such I would certainly consider changing these search flags in other AD
implementations, which leverage restore tools that also use the tombstone
reanimation method.
/Guido
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of TIROA
YANN
Sent: Samstag, 9. Juli
2005 00:03
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] Keep
existing attributes from users restored.
De:
[EMAIL PROTECTED] de la part de Dean Wells
Date: ven. 08/07/2005 18:29
À: Send - AD mailing list
Objet : RE: [ActiveDir] Keep existing
attributes from users restored.
<Resent
for clarity, odd formatting in previous post ... at least on my
end>
... modify the searchFlags property of the attributeSchema class
that
represents the attribute you'd like preserved during logical
deletion.
1. Run ADSIEDIT.MSC (Support Tools) (Requires Schema
Admins)
2. Expand the Schema NC (Naming Context)
3. Locate
"cn=<attribute>"
4. Right click it and select Properties
5.
Locate and edit the "searchFlags" property
6. Perform a bitwise-or of bit
3 (the 8)
7. Click OK
8. Right click the node in the left pane
labeled "Schema [your DC's FQDN]",
select "Update Schema Now"
To make
my reason for asking clear, I don't think modifying an enterprise
property
for the sake of recovering slightly more quickly from occasional
deletions is
particularly good practice ... but that's just me :o)
--
Dean
Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original
Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, July 08, 2005
11:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] Keep existing attributes from users restored.
Out of
curiosity Dean, what schema mod is this?
-----Original
Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Dean Wells
Sent: Friday, July 08, 2005 11:20 AM
To: Send - AD
mailing list
Subject: RE: [ActiveDir] Keep existing attributes from users
restored.
To do that, you need to modify the schema. The schema
modification must be
in place before the deletion occurs, are you prepared to
modify the schema
for such a rare occurrence (at least I hope this is
rare)?
--
Dean Wells
MSEtechnology
* Email:
[EMAIL PROTECTED]
http://msetechnology.com
-----Original
Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of TIROA YANN
Sent: Friday, July 08, 2005 11:05 AM
To:
ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Keep existing attributes from users restored.
Hello all :)
I
recovered deleted users from deletion succesfully by either the
following
method http://support.microsoft.com/kb/840001/en-us
or the excellent
adrestore tool from sysinternals.
But when i restore
deleted users, all their existing attributes (such as
telephone, fax
dispalyname, sn, givenname,etc..) are not kept after
restoration.
The
account is only disabled.
Only their sids are kept. I'd like to find a
way to recover all their
attributes too that is to say the state they were
before deletion.
Any ideas ?
Thanks in
advance.
Cheers,
Yann TIROA
Centre de Ressources
Informatique.
Campus Scientifique de la DOUA.
Bât. Gabriel Lippmann - 2
ème étage - salle 238.
43, Bd du 11 Novembre 1918.
69622 Villeurbanne
Cedex.
List info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/