Re: inserting sids in Active directory
From: Eric Fleischman [MSFT] (efleis_at_online.microsoft.com)
Date: 06/03/04
- Next message: Nick Fletcher: "Delegation not working"
- Previous message: wildbill: "domains"
- In reply to: Jeff Senter: "Re: inserting sids in Active directory"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 3 Jun 2004 08:45:48 -0500
The preferred method here is to actually restore the directory. IE don't
recreate, restore the objects you would like to bring back.
~Eric
-- Eric Fleischman [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Jeff Senter" <jsenter@erols.com> wrote in message news:%23MyOL7WSEHA.3636@TK2MSFTNGP09.phx.gbl... >A university I do some consulting to asked me the question. What I think >they want to do is have their ldap server be thier authorative server. >They have written a script that loads all of the user data from the AD >schema (metadata) includeing the sid to the ldap server every night. What >I think they whould like to be able to do is to deleate the ad metadata and >reinseart it with out have to do a system stat backup. They have figured >out how to do every thing but reinsert the sid. That leaves them with the >problem that the reinserted user can not acccesses any of the data because >the sid is incorrect. I just was wondering if there was a solution? > > Jeff > > Eric Fleischman [MSFT] wrote: > >>When you create a user you can't specify a SID I'm afraid. >> >>The ways to "get a user" with a given SID would be: >>1) Restore the user if it has been deleted, either through tombstone >>reanimation (new feature in 2k03) or by performing a system state restore >>and marking the object(s) in question as authoritative such that they >>replicate out and override the deletion >>2) You could create a new user which will have a new SID and make a call >>to DsAddSidHistory (documented on MSDN) and specify the old SID as an >>entry for sIDHistory on the user. That will let the new user have the old >>SID as one of the SIDs in their token, but it still wouldn't be their >>primary SID. But this would let them access resources ACL'd to the odl >>SID. >> >>If you don't mind me asking, what's your goal here? Perhaps I could >>provide better suggestions if I had a beter big picture view of the goals >>in the question. >> >>~Eric >> >> >> >
- Next message: Nick Fletcher: "Delegation not working"
- Previous message: wildbill: "domains"
- In reply to: Jeff Senter: "Re: inserting sids in Active directory"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
