HI, Just for information, and after talking to my boss, i've just extended our schema and decided to keep these attibutes wich are necessary in our Intranet: Sn, givenname, displayname (for Exchange GAL), title, locality, mail and telephonenumber. We also follow the provisionning/deprovisionning strategy as stated Jorge with : -a deprovisionning OU in which inactive accounts are moved *IF* their lastlogontimestamp > 60 days: a script ran every night to check this attribute and move users to the deprovisionning OU -a script that set that Grants Associated External Account privileges to SELF in the deprovisionning OU. At last a script that delete disable users which lastlogontimestamp > 90 days. All these are now in place in our production, and work fine :) With such strategies, I have now a real and good provisionning/deprovisionng "design", and i will use auth restore at the very very last resort, but i know that this last resort will give me the chance to have my deleted accounts recovered as they were before deletion. Thank you to Jorge and Dean for their advices. Cheers, Yann
________________________________ De: [EMAIL PROTECTED] de la part de Dean Wells Date: lun. 11/07/2005 23:36 À: Send - AD mailing list Objet : RE: [ActiveDir] Keep existing attributes from users restored. No. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> http://msetechnology.com <http://msetechnology.com/> ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 11, 2005 5:05 PM To: [email protected] Subject: RE: [ActiveDir] Keep existing attributes from users restored. thanks for the useful information, Eric. You've only mentioned sidHistory - does the same apply for the password? /Gudo ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Montag, 11. Juli 2005 16:45 To: [email protected] Subject: RE: [ActiveDir] Keep existing attributes from users restored. > BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory > and Password attributes to the tombstone (I believe this > is only valid for new installation of AD). Actually, not quite. For sidHistory, the SP1 change in behavior works for existing installations juts as well as existing ones. However, to be safe, we didn't actually modify searchFlags. Instead, we added sidHistory to the list of attributes we always preserve on tombstones no matter what the schema tells us we should (there is a list so that you can't subvert replication and strip off more than should be allowed). This was deemed safer than modifying your schema out from under you on SP upgrade. I tend to agree. This of course leads to the fact that non-SP1 DCs will strip sidHistory where SP1 will keep it. This was well understood, but we did not want a schema change for SP1. So we figured, it was this or wait for Longhorn. We went with this as being better than nothing. ~Eric ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 11, 2005 7:08 AM To: [email protected] Subject: RE: [ActiveDir] Keep existing attributes from users restored. realize that this search-flag can't be applied to all attributes (e.g. linked attributes such as member/memberOf) => as such you will always require a combination of actions to successfully recover users to a previous state. If you do want to leverage the tombstone reanimation feature of 2003 (such as leveraged by SysInternal's adrestore), you'll have to have mechanisms in place to recover attributes which you can't contain in the tombstone object. BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory and Password attributes to the tombstone (I believe this is only valid for new installation of AD). These are the ones that other third-party tools which help with re-populating the missing attributes can't rewrite after tombstone revival occures => as such I would certainly consider changing these search flags in other AD implementations, which leverage restore tools that also use the tombstone reanimation method. /Guido ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Samstag, 9. Juli 2005 00:03 To: [email protected] Subject: RE : [ActiveDir] Keep existing attributes from users restored. Thanks Dean, I will test it. Cheers, Yann ________________________________ De: [EMAIL PROTECTED] de la part de Dean Wells Date: ven. 08/07/2005 18:29 À: Send - AD mailing list Objet : RE: [ActiveDir] Keep existing attributes from users restored. <Resent for clarity, odd formatting in previous post ... at least on my end> ... modify the searchFlags property of the attributeSchema class that represents the attribute you'd like preserved during logical deletion. 1. Run ADSIEDIT.MSC (Support Tools) (Requires Schema Admins) 2. Expand the Schema NC (Naming Context) 3. Locate "cn=<attribute>" 4. Right click it and select Properties 5. Locate and edit the "searchFlags" property 6. Perform a bitwise-or of bit 3 (the 8) 7. Click OK 8. Right click the node in the left pane labeled "Schema [your DC's FQDN]", select "Update Schema Now" To make my reason for asking clear, I don't think modifying an enterprise property for the sake of recovering slightly more quickly from occasional deletions is particularly good practice ... but that's just me :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 08, 2005 11:30 AM To: [email protected] Subject: RE: [ActiveDir] Keep existing attributes from users restored. Out of curiosity Dean, what schema mod is this? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, July 08, 2005 11:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Keep existing attributes from users restored. To do that, you need to modify the schema. The schema modification must be in place before the deletion occurs, are you prepared to modify the schema for such a rare occurrence (at least I hope this is rare)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, July 08, 2005 11:05 AM To: [email protected] Subject: [ActiveDir] Keep existing attributes from users restored. Hello all :) I recovered deleted users from deletion succesfully by either the following method http://support.microsoft.com/kb/840001/en-us or the excellent adrestore tool from sysinternals. But when i restore deleted users, all their existing attributes (such as telephone, fax dispalyname, sn, givenname,etc..) are not kept after restoration. The account is only disabled. Only their sids are kept. I'd like to find a way to recover all their attributes too that is to say the state they were before deletion. Any ideas ? Thanks in advance. Cheers, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
