authoritative restore & group memberships

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

An attribute was changed on 1800 users and we thought about trying an
authoritative restore. The old attribute should be restored on all the
objects once that is done.

I was wondering if group memberships would be affected at all. The groups
would not be marked as authoritative.

I saw these articles

http://support.microsoft.com/default.aspx?scid=kb;en-us;280079#kb2
Authoritative restore of groups can result in inconsistent membership
information across domain controllers

http://support.microsoft.com/kb/840001/
How to restore deleted user accounts and their group memberships in Active
Directory


This excerpt from the first article caught my eye

"Note This issue may occur even if the users are authoritatively restored
and the groups are not. If a System State restore is done and only users are
marked as authoritative, their group membership will be restored on the
domain controller that the restore was done on (because the forward links in
the group objects would have been restored in the System State restore). If
the membership of the groups has not changed since the System State backup
was done, no replication for the groups will be done after the restore. This
results in inconsistent group membership between domain controllers. Changing
the membership to the group on one domain controller will replicate the
current contents of that group on that domain controller to the other domain
controllers. "


So will the group memberships be inconsistent?

Thanks
Mike

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Just a short note: wouldn't it be better to write a small vbs script that
uses LDAP to go through your AD and reverts back the value of that
attribute. The scripts are pretty easy to write and there are hundreds
available. I've done this dozens of times to manage users in my AD.

BTW, which container and attribute got changed?

Just a thought.

--
Mark-Allen Perry
ALPHA Systems
Marly, Switzerland
mark-allen_AT_mvps_DOT_org


"MKline" <MKline@discussions.microsoft.com> wrote in message
news:3F1C0EA4-2A4F-4930-9DC5-81E0C8065976@microsoft.com...
> An attribute was changed on 1800 users and we thought about trying an
> authoritative restore. The old attribute should be restored on all the
> objects once that is done.
>
> I was wondering if group memberships would be affected at all. The groups
> would not be marked as authoritative.
>
> I saw these articles
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;280079#kb2
> Authoritative restore of groups can result in inconsistent membership
> information across domain controllers
>
> http://support.microsoft.com/kb/840001/
> How to restore deleted user accounts and their group memberships in Active
> Directory
>
>
> This excerpt from the first article caught my eye
>
> "Note This issue may occur even if the users are authoritatively restored
> and the groups are not. If a System State restore is done and only users
are
> marked as authoritative, their group membership will be restored on the
> domain controller that the restore was done on (because the forward links
in
> the group objects would have been restored in the System State restore).
If
> the membership of the groups has not changed since the System State backup
> was done, no replication for the groups will be done after the restore.
This
> results in inconsistent group membership between domain controllers.
Changing
> the membership to the group on one domain controller will replicate the
> current contents of that group on that domain controller to the other
domain
> controllers. "
>
>
> So will the group memberships be inconsistent?
>
> Thanks
> Mike
>
>
>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Mark,

Yes the script of ADModify would have worked for most of the changes. What
happened here was that someone rebuilt the RUS and it set new primary e-mail
address for the users. We wanted to revert back to the old primary and our
users have different formats for their addresses (depending on what company
they work for)

Thanks
Mike


"Mark-Allen Perry" wrote:

> Just a short note: wouldn't it be better to write a small vbs script that
> uses LDAP to go through your AD and reverts back the value of that
> attribute. The scripts are pretty easy to write and there are hundreds
> available. I've done this dozens of times to manage users in my AD.
>
> BTW, which container and attribute got changed?
>
> Just a thought.
>
> --
> Mark-Allen Perry
> ALPHA Systems
> Marly, Switzerland
> mark-allen_AT_mvps_DOT_org
>
>
> "MKline" <MKline@discussions.microsoft.com> wrote in message
> news:3F1C0EA4-2A4F-4930-9DC5-81E0C8065976@microsoft.com...
> > An attribute was changed on 1800 users and we thought about trying an
> > authoritative restore. The old attribute should be restored on all the
> > objects once that is done.
> >
> > I was wondering if group memberships would be affected at all. The groups
> > would not be marked as authoritative.
> >
> > I saw these articles
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;280079#kb2
> > Authoritative restore of groups can result in inconsistent membership
> > information across domain controllers
> >
> > http://support.microsoft.com/kb/840001/
> > How to restore deleted user accounts and their group memberships in Active
> > Directory
> >
> >
> > This excerpt from the first article caught my eye
> >
> > "Note This issue may occur even if the users are authoritatively restored
> > and the groups are not. If a System State restore is done and only users
> are
> > marked as authoritative, their group membership will be restored on the
> > domain controller that the restore was done on (because the forward links
> in
> > the group objects would have been restored in the System State restore).
> If
> > the membership of the groups has not changed since the System State backup
> > was done, no replication for the groups will be done after the restore.
> This
> > results in inconsistent group membership between domain controllers.
> Changing
> > the membership to the group on one domain controller will replicate the
> > current contents of that group on that domain controller to the other
> domain
> > controllers. "
> >
> >
> > So will the group memberships be inconsistent?
> >
> > Thanks
> > Mike
> >
> >
> >
> >
> >
> >
>
>
>