the point you're missing is that I'm not talking about
groups being deleted and thus memberships being lost. I'm talking about
any object that could be a group member (e.g. users, contacts, computers and
other groups) being deleted and this causing the lost memberships for the
respective object. And it only takes one object to delete a whole lot of
critical users contained herein: one OU. It's easy enough - mistakes can
happen and do happen (via UI and CLI). Believe me, I woulnd't be so deep
into this subject if I hadn't gone through hell for one of my customers, getting
them back on track after they accidentally delted a whole OU - it was a
nightmare recovering all cross-domain links and for 3 days this had a big impact
on their operations, fileshare access and especially on the messaging (E2K) wich
is built around UGs all over the forest... From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Freitag, 5. März 2004 15:20 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Protecting Active Directory I
think I see what you're getting at. I did read that whitepaper and it is
interesting.
What
I'm trying to get at is that for the scenario of admin fat fingering a group,
recreating the group membership is, IMHO preferred over the hassle of a
restore. Script, etc is fine for figuring out group membership enough to
recreate it. If the group itself gets whacked, that's when I see this type
of solution adding value. You bring up a good point that if the group
encompasses the entire forest and membership gets hosed, that a restore may be
the best way but there are things to be aware of. I don't think this is a
worthwhile approach if it's only one group in most situations. I think
recreating it from a point in time (based on the reference information stored in
a flat file, database, etc) would be a fine approach. It's not until we
get into multiple simultaneous mistakes that it would make sense to me to
have a solution such as what you propose. I'm considering this as a good
idea for a large, multi-domain forest with decentralized administration when
multiple mistakes are made. I just can't see the time and effort of
restoring a group for one mistake making sense.
Am I
missing anything in the conversation here? For some reason I feel like
there is something I'm missing, but it's not obvious to me at this point
in time ;-)
|
RE: [ActiveDir] Protecting Active Directory
GRILLENMEIER,GUIDO (HP-Germany,ex1) Fri, 05 Mar 2004 07:03:26 -0800
Title: Message
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active Dire... Mulnick, Al
- [ActiveDir] OT: Toolkit CD David Adner
- RE: [ActiveDir] OT: Toolkit ... Douglas M. Long
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active Dire... Mulnick, Al
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active Dire... Mulnick, Al