Hi, You could also do it another way... If for some reason the user account is not needed anymore don't delete right away but make it inactive (disable it)and move it to a de-provisioning OU. Let it stay over there for, lets say 60 days (or 90 or whatever you think you enough) and delete it after those amount of days have passed have three scripts running on a DC: (1) script that runs each day at a certain time and disables all enabled users in the deprovisioning OU (using ADMODCMD from ADmodify or using OLDCMP) (2) script that runs each day at a certain time (after the first finished) and Grants Associated External Account privileges to SELF (KB 278966) in the deprovisioning OU (using ADMODCMD from ADmodify) (3) script that runs each day at a certain time (after the second finished) and deletes each user account in the provisioning OU that has a lastlogontimestamp (w2k3 FFL) which exceeds 90 or more days (OLDCMP) (don't forget to also delete homedirectories and profile directories)(this can be accomplished by using a script with ADFIND that queries the homedirectory and profiledirectory (normal and TS) of the user before it is delete and delete the homedirectory and profile directory If you need the use before it is deleted, move it to the original OU (manually), remove SELF as associated external account (manually) and enables the account Cheers, #JORGE#
________________________________ From: [EMAIL PROTECTED] on behalf of TIROA YANN Sent: Fri 7/8/2005 11:48 PM To: [email protected]; [email protected]; [email protected] Subject: RE : [ActiveDir] Keep existing attributes from users restored. hi Jorge ;) Yes you're right in the fact that we must design our AD delegation as well, and this what we did, with admin people that i trust. But deletion is a reality,and fortunately that not happens frequently, so i do not have to restore that frequently, maybe i was not clear in my previous post "I have to recover users rarely" means not frequently :-) We use AD in many ways, and one of them is to let users informations available to everyone in our intranet, so that people can easily retrieve usefull information such as telephonenumber,mail, locality, job fonction.... and when it's time to restore deleted users, i think it can be usefull and a non-negligeable saving time to restore their attributes too, rather than trying to remember their lost informations and importing them in AD. I agree It is not critical, but rather a comfortable way. Cheers, Yann ________________________________ De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: ven. 08/07/2005 18:29 À: [email protected]; [email protected] Objet : RE: [ActiveDir] Keep existing attributes from users restored. what we are trying understand is why you need to restore objects that frequently. At least in my opinion you should not try to solve the problem by also undelete additional attributes, but you should look at how your delegation is configured. Are the correct people deleting the objects? Should they be able to delete objects? provisioning and de-provisioning are procedures that can also be implemented to help you with this #JORGE# ________________________________ From: [EMAIL PROTECTED] on behalf of TIROA YANN Sent: Fri 7/8/2005 5:43 PM To: [email protected] Subject: RE: [ActiveDir] Keep existing attributes from users restored. Yes Dean, I have to recover users rarely, but when it arrives time, as like this morning where some users has been deleted, it may be easy for me to restore with all their attributes rather than setting again all their attributes with ADUC or any scripts ;( I have a test AD environnement, so i would test the schema modification first before applying it to my production. Thanks Dean Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -----Message d'origine----- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dean Wells Envoyé : vendredi 8 juillet 2005 17:20 À : Send - AD mailing list Objet : RE: [ActiveDir] Keep existing attributes from users restored. To do that, you need to modify the schema. The schema modification must be in place before the deletion occurs, are you prepared to modify the schema for such a rare occurrence (at least I hope this is rare)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, July 08, 2005 11:05 AM To: [email protected] Subject: [ActiveDir] Keep existing attributes from users restored. Hello all :) I recovered deleted users from deletion succesfully by either the following method http://support.microsoft.com/kb/840001/en-us or the excellent adrestore tool from sysinternals. But when i restore deleted users, all their existing attributes (such as telephone, fax dispalyname, sn, givenname,etc..) are not kept after restoration. The account is only disabled. Only their sids are kept. I'd like to find a way to recover all their attributes too that is to say the state they were before deletion. Any ideas ? Thanks in advance. Cheers, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
