Agreed - as I said I'd put procedures in place to protect user account passwords, but would use tombstones to ease computer account restores.
Ulf |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko |Sent: Wednesday, April 19, 2006 12:43 AM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Tombstone attributes | |Ulf B. Simon-Weidner wrote: |> Unfortunately the passwords is the same attribute for users and |> computers. I thought recently to put the password in the |tombstone to |> ease computer account reanimation - after the account is deleted the |> computer is not able to change it's password, and if it was deleted |> accidentally it's easy to reanimate the account and the |computer will still be happy. |> |> I know that it'll be easy to put the computers in the domain again, |> however I've had a customer with hundreds of sites which |lost a couple |> hundred computer accounts across those sites, and bandwidth didn't |> allow to remotly script the addition of the computer accounts to the |> domain via netdom. We were able to perform an authoritative restore, |> and were lucky that we lost almost no computer accounts due |to changed |> password, however this was a unlikely event with the |computers recently joined the newly created domain. |> In running domains we'd have to calculate an average of 1/15th of |> computers per day of the age of the backup to join manually. |> |> I agree on user objects - and if I'd decide to keep the password for |> computer account in the tombstone I'd would prefer to put a |procedure |> in place to change a users password before deleting it. |> | |Jup, I can agree with it - but still I don't like idea of |restoring the user with old password. What about password age |and complying with security policy - I can imagine situation |in which user's password was |89 day's old (wit 90 days maximum password age), then was |deleted an restored - password will be valid for another 90 |days. What about complexity requirements ? | | | |-- |Tomasz Onyszko |http://www.w2k.pl/blog/ - (PL) |http://blogs.dirteam.com/blogs/tomek/ - (EN) |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/