Steele, Aaron [BSD] - ADM wrote:
Hi there all,
Does anyone here know why Microsoft chose not to include the attributes
related to user password and sidHistory in the tombstone of an object
upon deletion?
Was it a security decision?
I would like to get some input from people here before I go and update
my schema to enable the restoration of these properties from the
tombstone'd object.
Personally I would not like to preserve password attribute on tombstone
- I don't see a reason for that, and yes, IMO it can be seen as possible
security threat. If user is deleted and restoring it requires admin
action it is just another logical step to reset it's password.
SID History attribute is preserved as with SP1 on Windows 2003 DC. ~Eric
wrote about it some time ago:
http://blogs.technet.com/efleis/archive/2005/07/12/407648.aspx
and this is OK - when you want to restore object and probably it's group
membership etc. preserving SID History is good solution.
--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
