RE: [ActiveDir] Keep existing attributes from users restored.

[Grillenmeier, Guido]

Title: RE: [ActiveDir] Keep existing attributes from users restored.

thanks Eriic for lending me that i - I've just added another one to your name so you won't have to miss out on one in your next mail ;-)   ok - I've just checked myself as well - keeping the password was more like wishful thinking as I've planned before to change the searchFlags to keep it since it's another one of those attributes you wouldn't be able to store offline => however, I do agree it's not critical.    Though even that statement certainly "depends" => if you just have to recover a single user or a few, you wouldn't worry about the password and simply set it after tombstone reanimation. If you have to recover a whole OU with many users, setting the PW and communicating it to the users could be quite a pain-point.  As such - if you can't recover it online (i.e. via tombstone reanimation), I'd actually vote for the native auth.-restore to get back as much as I can (and then tackle to repair the missing links etc.)...   Towards what Al wrote: I don't see recovering users with passwords more of a security risk than recovering them without the password => this is not a process that normal users can perfom anyways and a service admin has a multitude of options to circumvent AD security. And since the PW won't ever be readable, I don't really see the point.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Dienstag, 12. Juli 2005 00:09 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. Having been in this code before, I never noticed this applying to passwords. I don’t believe we keep them on tombstones today. Can you confirm that we do in fact keep them on tombstones as of SP1? If so I’ll take a peak at this in further detail to see if there is some magic there that I just didn’t pick up on last time through. But I didn’t think we did.   ~Erc (Where’s did the i in my name go? Well, when you replied in the last mail, you forgot the i in your name, so I’ve taken it out of mine so you can borrow it for your next reply.)     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 11, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored.   thanks for the useful information, Eric.  You've only mentioned sidHistory - does the same apply for the password?   /Gudo   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Montag, 11. Juli 2005 16:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. > BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory and Password attributes to the tombstone (I believe this > is only valid for new installation of AD).   Actually, not quite. For sidHistory, the SP1 change in behavior works for existing installations juts as well as existing ones. However, to be safe, we didn’t actually modify searchFlags. Instead, we added sidHistory to the list of attributes we always preserve on tombstones no matter what the schema tells us we should (there is a list so that you can’t subvert replication and strip off more than should be allowed). This was deemed safer than modifying your schema out from under you on SP upgrade. I tend to agree. This of course leads to the fact that non-SP1 DCs will strip sidHistory where SP1 will keep it. This was well understood, but we did not want a schema change for SP1. So we figured, it was this or wait for Longhorn. We went with this as being better than nothing.   ~Eric         From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 11, 2005 7:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored.   realize that this search-flag can't be applied to all attributes (e.g. linked attributes such as member/memberOf) => as such you will always require a combination of actions to successfully recover users to a previous state.  If you do want to leverage the tombstone reanimation feature of 2003 (such as leveraged by SysInternal's adrestore), you'll have to have mechanisms in place to recover attributes which you can't contain in the tombstone object.   BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory and Password attributes to the tombstone (I believe this is only valid for new installation of AD). These are the ones that other third-party tools which help with re-populating the missing attributes can't rewrite after tombstone revival occures => as such I would certainly consider changing these search flags in other AD implementations, which leverage restore tools that also use the tombstone reanimation method.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Samstag, 9. Juli 2005 00:03 To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Keep existing attributes from users restored. Thanks Dean,   I will test it.   Cheers,   Yann De: [EMAIL PROTECTED] de la part de Dean Wells Date: ven. 08/07/2005 18:29 À: Send - AD mailing list Objet : RE: [ActiveDir] Keep existing attributes from users restored. <Resent for clarity, odd formatting in previous post ... at least on my end> ... modify the searchFlags property of the attributeSchema class that represents the attribute you'd like preserved during logical deletion. 1. Run ADSIEDIT.MSC (Support Tools) (Requires Schema Admins) 2. Expand the Schema NC (Naming Context) 3. Locate "cn=<attribute>" 4. Right click it and select Properties 5. Locate and edit the "searchFlags" property 6. Perform a bitwise-or of bit 3 (the 8) 7. Click OK 8. Right click the node in the left pane labeled "Schema [your DC's FQDN]", select "Update Schema Now" To make my reason for asking clear, I don't think modifying an enterprise property for the sake of recovering slightly more quickly from occasional deletions is particularly good practice ... but that's just me :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 08, 2005 11:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. Out of curiosity Dean, what schema mod is this? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dean Wells Sent: Friday, July 08, 2005 11:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Keep existing attributes from users restored. To do that, you need to modify the schema.  The schema modification must be in place before the deletion occurs, are you prepared to modify the schema for such a rare occurrence (at least I hope this is rare)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of TIROA YANN Sent: Friday, July 08, 2005 11:05 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Keep existing attributes from users restored. Hello all :) I recovered deleted users from deletion succesfully by either the following method http://support.microsoft.com/kb/840001/en-us or the excellent adrestore tool from sysinternals. But when i restore deleted users, all their existing attributes (such as telephone, fax dispalyname, sn, givenname,etc..) are not kept after restoration. The account is only disabled. Only their sids are kept. I'd like to find a way to recover all their attributes too that is to say the state they were before deletion. Any ideas ? Thanks in advance. Cheers, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/