Unfortunately the passwords is the same attribute for users and computers. I thought recently to put the password in the tombstone to ease computer account reanimation - after the account is deleted the computer is not able to change it's password, and if it was deleted accidentally it's easy to reanimate the account and the computer will still be happy.
I know that it'll be easy to put the computers in the domain again, however I've had a customer with hundreds of sites which lost a couple hundred computer accounts across those sites, and bandwidth didn't allow to remotly script the addition of the computer accounts to the domain via netdom. We were able to perform an authoritative restore, and were lucky that we lost almost no computer accounts due to changed password, however this was a unlikely event with the computers recently joined the newly created domain. In running domains we'd have to calculate an average of 1/15th of computers per day of the age of the backup to join manually. I agree on user objects - and if I'd decide to keep the password for computer account in the tombstone I'd would prefer to put a procedure in place to change a users password before deleting it. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko |Sent: Tuesday, April 18, 2006 11:19 PM |To: [email protected] |Subject: Re: [ActiveDir] Tombstone attributes | |Steele, Aaron [BSD] - ADM wrote: |> Hi there all, |> |> Does anyone here know why Microsoft chose not to include the |> attributes related to user password and sidHistory in the |tombstone of |> an object upon deletion? |> Was it a security decision? |> I would like to get some input from people here before I go |and update |> my schema to enable the restoration of these properties from the |> tombstone'd object. | |Personally I would not like to preserve password attribute on tombstone |- I don't see a reason for that, and yes, IMO it can be seen |as possible | security threat. If user is deleted and restoring it |requires admin action it is just another logical step to reset |it's password. | |SID History attribute is preserved as with SP1 on Windows 2003 |DC. ~Eric wrote about it some time ago: |http://blogs.technet.com/efleis/archive/2005/07/12/407648.aspx | |and this is OK - when you want to restore object and probably |it's group membership etc. preserving SID History is good solution. | |-- |Tomasz Onyszko |http://www.w2k.pl/blog/ - (PL) |http://blogs.dirteam.com/blogs/tomek/ - (EN) |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
