I will assume you have a K3 Domain... It is going to need administrator level rights (not domain admin) just to look into the deleted items container unless the ACL's have been relaxed like Tony was asking about the other day here on the list. However this should be handled in such a way that when the restore is being done, the work can be done in the context of the person requesting the restore, not the service itself.
Then outside of that, it will need rights to update properties on the specific object types. You can side step this by marking more of the attributes to be kept with the deleted object (aka tombstone) and then just yank the tombstoned obejct back out of the deleted items container. This latter step can be done with LDP or my command line admod tool will do it as well. The issues will be with backlinks (and about now Guido should swoop in...) and I would wonder how they handle that. I.E. If you have group memberships all over the place are they maintaining that information and if so, how do they restore it when needed as it wouldn't be by modifying the object restored, but the objects the backlinks point to. To do this you don't even really need any fancy restore system. The tools all exist to set this all up now. Basic Schema mod and then using either LDP or admod. I've even considered whipping up a gui tool to do this as it is pretty simple. Just know that once I do everyone will have an idea on how the gui should look, the command line is easy enough to script around so anyone can do whatever they want with it. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: Wednesday, August 04, 2004 3:33 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Changing permissions in AD There are two parts to the backup solution. The first only requires backup operator rights and does normal system level backups.restores and non AD level file recovery. No issues there. The additonal rights come from their method of dealing with AD and restoring individual objects in AD. Basically, as I understand it (and has been discussed on this great list before), when an object is deleted it is stripped of most of it's attributes and placed in a hidden deleted items folder. The application in order to restore an object keeps a database of the attributes and when restoring takes the items out of that area and puts back on the stripped out information. At least that's how I understand it. Could be wrong as am still looking at it. So. In order to do the second part, it needs lots of rights which is a question which should have been asked before hand. Right now we're trying to get them to tell us exactly what has to have permissions and the answer remains "domain admins" or something real close to it which they have not been able to define very well. I'm not even real sure if these permissions they are saying is enough. I really think the only way they've tested it is under domain admin rights and there may be reasons in AD that require that.... Steve On Wed, 4 Aug 2004 15:06:48 -0400 , Mulnick, Al <[EMAIL PROTECTED]> wrote: > Seems that's not so easy as to find an easy vbscript for it. Found > some c++ for it but that doesn't sound like what you want :) How many > OU's do you have? > > Also, what POS backup system are you deploying? I'd like stay as far > away from that company as I possibly can. And since you have the > rights to remove these settings, you probably also know the reason > they were set in the first place. Seems strange that you can so > easily remove those rights though. > > Al > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve > Sent: Tuesday, August 03, 2004 6:07 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Changing permissions in AD > > Question: A particular backup solution requires one of the following > rights: Either grant it full domain admin rights over the entire > domain, or grant it read, write, and create objects in the entire > domain. (which is pretty close to domain admin) > > If I use Delegation or manually add the rights at the domain level > everything works as expected. All objects receive the rights except > those OU's/Objects which explicitly have inherit permissions denied. > > Is there an easy to over write the deny inheritance setting? Or is > there a utility that I could use to do this with? > > I can go though ADUC and grant the rights manually, but I would rather > have an automated solution for this problem. > > I would expect that this is a common request rather than just giving > up full domain admin rights and I"m looking for a better, smarter way > of dealing with it. > > Thanks > > Steve List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
