Ulf B. Simon-Weidner wrote:
Unfortunately the passwords is the same attribute for users and computers. I
thought recently to put the password in the tombstone to ease computer
account reanimation - after the account is deleted the computer is not able
to change it's password, and if it was deleted accidentally it's easy to
reanimate the account and the computer will still be happy.
I know that it'll be easy to put the computers in the domain again, however
I've had a customer with hundreds of sites which lost a couple hundred
computer accounts across those sites, and bandwidth didn't allow to remotly
script the addition of the computer accounts to the domain via netdom. We
were able to perform an authoritative restore, and were lucky that we lost
almost no computer accounts due to changed password, however this was a
unlikely event with the computers recently joined the newly created domain.
In running domains we'd have to calculate an average of 1/15th of computers
per day of the age of the backup to join manually.
I agree on user objects - and if I'd decide to keep the password for
computer account in the tombstone I'd would prefer to put a procedure in
place to change a users password before deleting it.
Jup, I can agree with it - but still I don't like idea of restoring the
user with old password. What about password age and complying with
security policy - I can imagine situation in which user's password was
89 day's old (wit 90 days maximum password age), then was deleted an
restored - password will be valid for another 90 days. What about
complexity requirements ?
--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
