Don't forget that the typical backup procedure for group-links won't help you that much with your current approach, as you're actually re-creating the user in a different domain => it will have a different DN, GUID and SID. Depending on your naming convention, your samAccountName and UPN may remain the same. 
 
Tools that perform automated recovery of links (e.g. group-memberships etc.) typically assume you're recovering the links to the same user object (preferred method here is to use the GUID of the object for identification in a forest) - which is not the case in your current "user/mailbox move" approach. If you stick to this approach, you'd require a custom app that would allow you to recover DLs via some sort of mapping for UserNEW to UserOLD. This is a whole different thing (obviously it's still possible to do this).
 
As previously posted, you should switch to using the normal user "move" operations (e.g. using MS ADMT which is preferred over the movetree command; you can still script the move using ADMT) which will keep you DLs intact (naturally you'll always lose the group memberships which are out of scope for the target domain, e.g. memberships in global groups of the source domain). Then use something like exmerge for the mailbox move to a different admin group.
 
This way, you won't need any special tool to "recover" group memberships when a user moves between domain. However, if you want to be prepared for other scenarios, such as recovering memberships for accidentally deleted objects, you should still do as joe already pointed out: periodically dump all memberships to some other store so that you can recover them to the _original_ objects as required. 
Do do so, Quest has a good offering with their AD Recovery Manager (which does more than the backup and recovery of links) - it's not for free, but you may want to check it out.  I hate to add this plug in this list, but I have also worked rather intensively on a tool which focusses on backing up, displaying and recovering just the links between objects in an AD forest for quite a while now (other people on this list already know about it anyways ;-): AD Link Recovery Manager (ADLRM). It's also not for free (it's bundled with AD disaster recovery consulting services from HP), but it has a lot to offer. It centrally stores forest-wide link information in an SQL/MSDE database and has a very powerful explorer like UI to display links (incl. nested memberships etc.) and to restore them. Let me know if you want to know more about it, or send an eMail to [EMAIL PROTECTED].
 
/Guido


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Mittwoch, 23. M�rz 2005 23:39
To: [email protected]
Subject: RE: [ActiveDir] Recover DL membership

This would be very useful as we have people moving from different domains\admin groups quite often.

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 23, 2005 5:22 PM
To: [email protected]
Subject: RE: [ActiveDir] Recover DL membership

 

Nope. Nothing native that is. This is a good reason to take dumps occasionally of groups you have or sync the membership to another store like SQL or AD/AM.

 

I have been thinking about making a tool to do something like this. How much would people pay for that functionality?

 

  joe

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, March 23, 2005 12:54 PM
To: [email protected]
Subject: [ActiveDir] Recover DL membership

I had a user that was moved from one child domain to another.  The user was deleted and added.  Is there any way to recover the group membership of that user in the old domain?

 

-Devon

Reply via email to