Exporting AD accounts as a DR mechanism

Question

I ask too many questions...!

We're discussing internally whether it is possible\advisable that, whenever an account is deleted, we perform a flat file data export of the account data.

If so, would it be feasible to be able to import this 'backup' file after the event as a form of rollback capability i.e. could it be re-imported and recover the full account including the password and any group memberships etc?

I know that there are options to strip the SAM data from a record during import/export, so just wondering if this is something that you as AD experts have seen done before? Bit of a poor mans tombstombing as far as I can tell!

Answer 1

Hello,

Whenever an account is deleted, it is impossible to create exactly the same account. You can create an almost completely identical account with the same username, group memberships etc, but it will have, for example, a different Security Identifier (SID). Other properties that are set by the system, for example, When Created, will also be different for the new account. Also, you will not be able to export the user's password, so you will need to set the password during user import.

For an example of a script that exports a user account to a CSV file, see the 5th step of the Run PowerShell Script after Creating a User Tutorial at http://www.adaxes.com/tutorials_Automat ... ngUser.htm.

For information on how to import user accounts from CSV files, see Import User Accounts from a CSV File. Note, however, that if you import certain properties that can be set by the system only (such as Member Of or Direct Reports), you need to handle them in a special way. For example, instead of trying to change the Member Of property directly, in your script you need to bind to the group that is specified in the Member Of property and change the Member property of that group. For example on how to accomplish the task, see the article on adding and removing users from groups in our SDK: http://adaxes.com/sdk/?SampleScripts.Ad ... roups.html.

Comments

Thanks very much - good info to digest.

Out of interest I've read an article somewhere that said, if you set the searchFlags property of the Unicode-Pwd object in your Schema root to "8", this will preserve passwords of deleted objects.

Not sure if/how this could be leveraged alongside an Adaxes scripted restore to retain the old password.

---

This is a little outside of the scope of Adaxes, but you could use the Active Directory recycled bin for such purpose.

It allows to restore the state of an AD object prior its deletion for a certain period (the tombstone value, between 60 and 180 days) and includes SID, password, ...

---

Thanks, and yes to tombstoning.

This was more about being able to resurrect a long deleted account if we ever brought back online a decommisioned system that may have had hardcoded authentication credentials etc. A very narrow use-case but one we've had in the past !

---

Hello,

As Pierre has already mentioned, setting the value of the searchFlags property of the Unicode-Pwd object will affect storing password for deleted objects that go to the tombstone. In the solution with CSV files that we suggested, this is a bit different. Actually, we will be creating a new account that will be an almost exact copy of the deleted account, and that is different from the old account in the tombstone.

As for tombstone management with Adaxes, we have the feature to support Active Directory tombstone/recycled bin in our TODO list. It will be available in one of the future releases.