Recipe 16.17 Restoring a Deleted Object
|
This recipe must be run against a Windows Server 2003 domain
controller.
|
|
16.17.1 Problem
You want to restore an object that
was previously deleted.
16.17.2 Solution
16.17.2.1 Using a graphical user interface
Open LDP. From the menu, select Connection Connect. For Server, enter the name of a domain controller (or leave blank to
do a serverless bind). For Port, enter 389. Click OK. From the menu, select Connection Bind. Enter credentials of a user that can restore the deleted object (only
administrators for the domain by default). Click OK. From the menu, select Options Controls. Select Return deleted objects from the Load
Predefined selection. Click OK. From the menu, select Browse Modify. For Dn, enter the distinguished name of the deleted object you want
to restore. For Attribute, enter distinguishedName. For Values, enter the original DN of the object. For Operation, select Replace. Click Enter. For Attribute, enter isDeleted. For Values, remove any text. For Operation, select Delete. Click Enter. Add mandatory attributes as necessary: For Attribute, enter
<ManadatoryAttribute>. For Values, enter
<MandatoryAttributeValue>. For Operation, select Add. Check the box beside Extended. Click Run. The results will be displayed in the right pane.
16.17.3 Discussion
Windows Server 2003 supports restoring tombstone (deleted) objects,
which have not expired. This is an alternative to performing an
authoritative restore for an object that was accidentally deleted.
The downside to this approach is that since most attributes that you
care about (excluding those in Table 16-1) are not
populated on tombstone objects, the restored deleted object will only
be a shadow of its former self.
Here are the basic steps to restore a deleted object:
Enable the Return Deleted Objects control (1.2.840.113556.1.4.417). Remove the isDeleted attribute of the object (do
not simply set to FALSE). Replace the distinguishedName attribute with its
new location in the tree. Restore any mandatory attributes.
This should all be done in a single LDAP operation.
After the object has been restored, you can repopulate any optional
attributes that were set previously. By default only members of the
administrator groups can restore deleted objects. You can delegate
control over restoring deleted objects by granting the
Reanimate Tombstone extended
right to a user or group. The user or group will also need rights to
modify attributes of the restored object including the ability to
create child objects in the container the object is restored to.
|
Granting the privilege to restore objects should be done with
caution. A user could restore a user object and
after setting the password, login with the account. This could give
the user access to resources he was not suppose to have.
|
|
16.17.4 See Also
Recipe 16.16 for searching for deleted objects
and
MSDN: Restoring Deleted Objects
|