Home > Ask the Windows Experts > Questions & Answers > Unable to restore critical information after moving user accounts via LDIF
Ask The Win IT Expert: Questions & Answers
EMAIL THIS

Unable to restore critical information after moving user accounts via LDIF

Paul Hinsberg EXPERT RESPONSE FROM: Paul Hinsberg

Pose a Question
Other Win IT Categories
Meet all Win IT Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 21 November 2004
In my company we cannot just delete user accounts due to regulatory restrictions. While I can export the user information via LDIF, I cannot restore the most critical information, like group memberships and SID. I have tried using the AD migration tool to move disabled IDs to a different domain, but that has restrictions and quirks as well. Our Win2k AD tombstones objects in 60 days, which is not a long enough period to keep IDs should I need to restore them. Any ideas?

>
EXPERT RESPONSE
Interesting issue... I could see why using LDIF or moving the accounts to another domain may cause issues, primarily issues with the SID and maintaining that SID through the transitions. ADMT might assist in the move from the Domains, but will still leverage a SID-history mechanism that could lead to issues. An interesting possibility is to move the disabled accounts to an OU. Create a highly restrictive GPO and apply it specifically to the OU. Use a group like, disabled_accounts, and specifically deny network logons, deny logon locally, deny logon as a service, deny logon as a batch job. When you need to prevent a user from access resources you add them to this restrictive group and OU. The group policy is applied and they are prevented from getting to any resource in the organization. Since the account is not deleted or disabled, it will be retained as long as you need it. Keep in mind that I have not tried this myself and I would strongly suggest setting up a testing AD in an isolated lab to make sure that it is working appropriately (preventing the people you don't want and not affecting the remaining population). The last thing you want to do is cripple the entire organization with a GPO.

Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Windows IT White Papers including Change Management, Cost Management and Problem Management
HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT DownloadsBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 1999 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts