Reviving the Dead
As I mentioned, Windows 2003 provides the ability to recover tombstone objects—a useful capability. If, for example, you accidentally delete a user object, you can't just create a new object and expect everything to work for the user as it did before, partially because the new user object will have a new SID. When you grant a user permission to a file or AD object, that user's SID resides in the file's or AD object's ACL. If you create a new user account, the user's previously set ACLs need to be modified to include the user's new account SID. One attribute that a tombstoned user object maintains is the objectSID attribute, which contains the user's SID, so in this situation you can restore a deleted user object to retain the original SID, thus reducing some of the work necessary to get the user running again.
But don't get too excited yet. Tombstone objects are shells of their former selves, so restoring a tombstone doesn't restore the object to all of its former glory. Let's walk through the steps to restore a tombstone by using the Windows 2003 version of Ldp. (A Win2K version of Ldp is also available, but it lacks some of the functionality I describe in the following steps.)
- Open Ldp, connect and bind to a DC, and enable Ldp's Return Deleted Objects LDAP control, as the sidebar "Searching for Tombstones" explains.
- Select View, Tree from the Ldp menu bar. Enter the DN of the DC's Deleted Objects container (e.g., cn=Deleted Objects,dc=rallencorp,dc=com) and click OK. The Deleted Objects container appears in the tool's left pane, as Figure 1 shows. Expand the container to view all the tombstone objects in the container. Right-click the object you want to restore and select Modify from the context menu. Remove the object's isDeleted attribute by typing
isDeleted
in the Modify dialog box's Attribute field. Leave the Values field blank. Under Operation, select Delete, then click Enter. . . .
)
Register
Anonymous User January 20, 2005 (Article Rating: