Restoring deleted security groups in AD

From: Eric Ayre (era_at_BIGPOND.COM)
Date: 04/13/05

  • Next message: Peter McNab: "Re: Re Tues 12th MS Updates. Microsoft Security Bulletins" 
    Date:         Wed, 13 Apr 2005 09:18:25 +1000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Hello,

     

    I have been investigating the restoration process for deleted objects in AD
    in response to the situation where by if you remove IIS from a domain the
    group IIS_WPG gets removed despite the existence of other IIS servers and
    other accounts in this group. Although the problem is fixed in 2003 SP1,
    there is a concern that some one will bring up a standard DC with IIS
    installed then decide to remove IIS as this is not required.

     

    I have been following MS article, 840001 "How to restore deleted user
    accounts and their group memberships in Active Directory", specifically the
    section on "How to manually undelete objects in a deleted object's
    container" as an authoritative restore is viewed as taking too long.

     

    Problem

     

    I can restore a deleted user account and a distribution group when I attempt
    a security group I get the following error.

     

    ***Call Modify...

    ldap_modify_ext_s(ld,
    'CN=MyTestGroup\0ADEL:e9901a47-182e-41e8-b025-888d9e7c5f7a,CN=Deleted
    Objects,DC=mydom,DC=com,DC=au',[2] attrs, SvrCtrls, ClntCtrls);

    Error: Modify: Unwilling To Perform. <53>

    Server error: 0000001F: SvcErr: DSID-031A0FBC, problem 5003
    (WILL_NOT_PERFORM), data 0

     

    I found an article on movetree where by case sensitivity was an issue,
    however this did not help when tested.

    I have not been able find any references in technet for this error.

     

    Any suggestions and explanations will be welcome.

     

    Thanks,

     

    Eric Ayre

     

      

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: Peter McNab: "Re: Re Tues 12th MS Updates. Microsoft Security Bulletins"

    Relevant Pages

    • RE: Restore IIS Site and Services
      ... Thank you for posting in SBS newsgroup. ... I do not know your detailed situation and why you need to restore IIS. ... In IIS, select Web Sites, and note the "Identifier" for Default Web Site ...
      (microsoft.public.windows.server.sbs)
    • Re: IIS Stopped working properly.
      ... the best way should be restoring the IIS settings from ... This can restore your Web sites without reinstalling your SBS 2003 server. ... This newsgroup only focuses on SBS technical issues. ... you may want to contact Microsoft CSS directly. ...
      (microsoft.public.windows.server.sbs)
    • Re: websites lost
      ... my understanding of this issue is: The Companyweb was lost ... I would suggest we use the IIS History Files feature ... to restore the IIS metabase to see whether the issue can be resolved. ...
      (microsoft.public.windows.server.sbs)
    • RE: viewing secure sites
      ... Can you provide more information from an IIS ... © 2002 Microsoft Corporation. ... I have tried to restore ... the box for disable system restore is checked again. ...
      (microsoft.public.inetserver.iis.security)
    • RE: IIS Problems
      ... have changed settings within IIS which have affected OWA etc provided by ... I am also going to backup my sharepoitn site, ... sharepoint and a restore of the site to ensure these are returned to default. ... properties of the volume in Windows Explorer, the 'Shadow Copies' tab. ...
      (microsoft.public.windows.server.sbs)