Interesting thread. I've always been a fan of keeping the information separate for this situation. I need the sid in order to allow the user to access the resources he had prior to accidental deletion (that's another thread :) but otherwise, I wouldn't want password for a user I restored. That would be very dangerous in my mind as it could allow a rogue admin (yet another thread right?) access to resources that purposefully deleted users had and they'd be able to do so in a relatively covert manner. They'd be hard to track for sure. Additionally, restoring the user to groups could be a nightmare. I'd prefer to keep that information in a separate off-line format (text file? db?) where I can report against it and use it to breath life into a reanimated user should the need absolutely arise. I'm a huge fan of setting up process to do as much as possible to prevent the accidental deletion of users at every turn. My thoughts are that those shops with the wherewithal to set the schema mods, aren't the ones that need an undelete in most cases, but good processes are always a good idea. Still, the odd accident can occur. I realize that. Now I'm just not sure that taking the time to practice against such a thing is worth the effort of practicing this on a regular basis to make sure you don't mess it up. Besides, you'll have to restore the other information anyway, so you may as well get what's absolutely needed (sidHistory should be in that list IMHO) but plan to get other information (fax #? Phone #, group information, nickname, petname, etc) separately. To try and hold it in deleted items would be more of a PITA due to replication than it would be to store it out of band for other uses. My $0.04 (USD) anyway. Al P.S. if you use .NET to write an app to suck the data out to an off-line storage medium, be aware that it doesn't natively handle group membership very well. Trust me, that's important ;)
________________________________ From: [EMAIL PROTECTED] on behalf of Dean Wells Sent: Mon 7/11/2005 5:36 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Keep existing attributes from users restored. No. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> http://msetechnology.com <http://msetechnology.com/> ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 11, 2005 5:05 PM To: [email protected] Subject: RE: [ActiveDir] Keep existing attributes from users restored. thanks for the useful information, Eric. You've only mentioned sidHistory - does the same apply for the password? /Gudo ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Montag, 11. Juli 2005 16:45 To: [email protected] Subject: RE: [ActiveDir] Keep existing attributes from users restored. > BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory > and Password attributes to the tombstone (I believe this > is only valid for new installation of AD). Actually, not quite. For sidHistory, the SP1 change in behavior works for existing installations juts as well as existing ones. However, to be safe, we didn't actually modify searchFlags. Instead, we added sidHistory to the list of attributes we always preserve on tombstones no matter what the schema tells us we should (there is a list so that you can't subvert replication and strip off more than should be allowed). This was deemed safer than modifying your schema out from under you on SP upgrade. I tend to agree. This of course leads to the fact that non-SP1 DCs will strip sidHistory where SP1 will keep it. This was well understood, but we did not want a schema change for SP1. So we figured, it was this or wait for Longhorn. We went with this as being better than nothing. ~Eric ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 11, 2005 7:08 AM To: [email protected] Subject: RE: [ActiveDir] Keep existing attributes from users restored. realize that this search-flag can't be applied to all attributes (e.g. linked attributes such as member/memberOf) => as such you will always require a combination of actions to successfully recover users to a previous state. If you do want to leverage the tombstone reanimation feature of 2003 (such as leveraged by SysInternal's adrestore), you'll have to have mechanisms in place to recover attributes which you can't contain in the tombstone object. BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory and Password attributes to the tombstone (I believe this is only valid for new installation of AD). These are the ones that other third-party tools which help with re-populating the missing attributes can't rewrite after tombstone revival occures => as such I would certainly consider changing these search flags in other AD implementations, which leverage restore tools that also use the tombstone reanimation method. /Guido ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Samstag, 9. Juli 2005 00:03 To: [email protected] Subject: RE : [ActiveDir] Keep existing attributes from users restored. Thanks Dean, I will test it. Cheers, Yann ________________________________ De: [EMAIL PROTECTED] de la part de Dean Wells Date: ven. 08/07/2005 18:29 À: Send - AD mailing list Objet : RE: [ActiveDir] Keep existing attributes from users restored. <Resent for clarity, odd formatting in previous post ... at least on my end> ... modify the searchFlags property of the attributeSchema class that represents the attribute you'd like preserved during logical deletion. 1. Run ADSIEDIT.MSC (Support Tools) (Requires Schema Admins) 2. Expand the Schema NC (Naming Context) 3. Locate "cn=<attribute>" 4. Right click it and select Properties 5. Locate and edit the "searchFlags" property 6. Perform a bitwise-or of bit 3 (the 8) 7. Click OK 8. Right click the node in the left pane labeled "Schema [your DC's FQDN]", select "Update Schema Now" To make my reason for asking clear, I don't think modifying an enterprise property for the sake of recovering slightly more quickly from occasional deletions is particularly good practice ... but that's just me :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 08, 2005 11:30 AM To: [email protected] Subject: RE: [ActiveDir] Keep existing attributes from users restored. Out of curiosity Dean, what schema mod is this? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, July 08, 2005 11:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Keep existing attributes from users restored. To do that, you need to modify the schema. The schema modification must be in place before the deletion occurs, are you prepared to modify the schema for such a rare occurrence (at least I hope this is rare)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, July 08, 2005 11:05 AM To: [email protected] Subject: [ActiveDir] Keep existing attributes from users restored. Hello all :) I recovered deleted users from deletion succesfully by either the following method http://support.microsoft.com/kb/840001/en-us or the excellent adrestore tool from sysinternals. But when i restore deleted users, all their existing attributes (such as telephone, fax dispalyname, sn, givenname,etc..) are not kept after restoration. The account is only disabled. Only their sids are kept. I'd like to find a way to recover all their attributes too that is to say the state they were before deletion. Any ideas ? Thanks in advance. Cheers, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
