|
Don't forget that the typical backup procedure for
group-links won't help you that much with your current approach, as you're
actually re-creating the user in a different domain => it will have a
different DN, GUID and SID. Depending on your naming convention, your
samAccountName and UPN may remain the same.
Tools that perform automated recovery of links (e.g.
group-memberships etc.) typically assume you're recovering the links to the same
user object (preferred method here is to use the GUID of the object for
identification in a forest) - which is not the case in your current
"user/mailbox move" approach. If you stick to this approach, you'd
require a custom app that would allow you to recover DLs via some sort of
mapping for UserNEW to UserOLD. This is a whole different thing (obviously it's
still possible to do this).
As previously posted, you should switch to using the normal
user "move" operations (e.g. using MS ADMT which is preferred over the movetree
command; you can still script the move using ADMT) which will
keep you DLs intact (naturally you'll always lose the group
memberships which are out of scope for the target domain, e.g. memberships in
global groups of the source domain). Then use something like exmerge for the
mailbox move to a different admin group.
This way, you won't need any special tool to "recover"
group memberships when a user moves between domain. However, if you want to be
prepared for other scenarios, such as recovering memberships for accidentally
deleted objects, you should still do as joe already pointed out: periodically
dump all memberships to some other store so that you can recover them to the
_original_ objects as required.
Do do so, Quest has a good offering with their AD Recovery
Manager (which does more than the backup and recovery of links) - it's not
for free, but you may want to check it out. I hate to add this plug in
this list, but I have also worked rather intensively on a tool which focusses on
backing up, displaying and recovering just the links between objects in an
AD forest for quite a while now (other people on this list already know about it
anyways ;-): AD Link Recovery Manager (ADLRM). It's also not for free (it's
bundled with AD disaster recovery consulting services from HP), but it
has a lot to offer. It centrally stores forest-wide link information in an
SQL/MSDE database and has a very powerful explorer like UI to
display links (incl. nested memberships etc.) and to restore
them. Let me know if you want to know more about it, or send an eMail to [EMAIL PROTECTED].
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. M�rz 2005 23:39 To: [email protected] Subject: RE: [ActiveDir] Recover DL membership This would be very
useful as we have people moving from different domains\admin groups quite
often. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Nope. Nothing native
that is. This is a good reason to take dumps occasionally of groups you have or
sync the membership to another store like SQL or AD/AM.
I have been thinking
about making a tool to do something like this. How much would people pay for
that functionality?
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Harding,
Devon I had a user that was moved from one
child domain to another. The user was deleted and added. Is there
any way to recover the group membership of that user in the old
domain? - |
- RE: [ActiveDir] Recover DL membership Grillenmeier, Guido
- RE: [ActiveDir] Recover DL membership Mulnick, Al
- RE: [ActiveDir] Recover DL membership deji
- RE: [ActiveDir] Recover DL membership Jorge de Almeida Pinto
- RE: [ActiveDir] Recover DL membership Jorge de Almeida Pinto
- RE: [ActiveDir] Recover DL membership Grillenmeier, Guido
- RE: [ActiveDir] Recover DL membership Grillenmeier, Guido
- RE: [ActiveDir] Recover DL membership Jorge de Almeida Pinto
- RE: [ActiveDir] Recover DL membership Mulnick, Al
- RE: [ActiveDir] Recover DL membership Mulnick, Al
