Re: Restoring deleted security groups in AD

From: Eric Ayre (era_at_BIGPOND.COM)
Date: 04/21/05

  • Next message: Joe Dance: "MS Updates SP1 for Windows Server 2003" 
    Date:         Thu, 21 Apr 2005 21:42:32 +1000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    All,

    Thanks for your responses.

    Microsoft have confirmed an issue restoring security groups from deleted
    objects. See Microsoft article http://support.microsoft.com/?kbid=830769
    applying the available patch corrected the problem.

    Eric Ayre

    -----Original Message-----
    From: Windows NTBugtraq Mailing List
    [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Johny Wishbone
    Sent: Friday, 15 April 2005 4:29 AM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: Re: Restoring deleted security groups in AD

    Ensure that you have permissions on the source and destination domains
    to complete the move. The following error message is logged in the
    MoveTree.err file if you have insufficient permissions:
    Error: 0x2098 Insufficient Access Rights to perform the operation.
    MoveTree cross domain move failed. The extended error is 00002098:
    SrcErr:DSID-0031B02E2, problem 5003 (WILL_NOT_PERFORM), data 0
    . Use quotation marks for parameters with spaces.
    . Use all lowercase letters when designating the source and
    destination subtree root domain names. If you use uppercase letters,
    the following error message is logged in the MoveTree.err file:
    Error: 0x20e4 The Naming Context could not be found.
    MoveTree cross domain move failed.
    The extended error is 0000020e4: SvcErr: DSID-031B02E2, problem 5003
    (WILL_NOT_PERFORM), data 0

    This is from http://support.microsoft.com/?kbid=238394

    On 4/12/05, Eric Ayre <era@bigpond.com> wrote:
    > Hello,
    >
    > I have been investigating the restoration process for deleted objects in
    AD
    > in response to the situation where by if you remove IIS from a domain the
    > group IIS_WPG gets removed despite the existence of other IIS servers and
    > other accounts in this group. Although the problem is fixed in 2003 SP1,
    > there is a concern that some one will bring up a standard DC with IIS
    > installed then decide to remove IIS as this is not required.
    >
    > I have been following MS article, 840001 "How to restore deleted user
    > accounts and their group memberships in Active Directory", specifically
    the
    > section on "How to manually undelete objects in a deleted object's
    > container" as an authoritative restore is viewed as taking too long.
    >
    > Problem
    >
    > I can restore a deleted user account and a distribution group when I
    attempt
    > a security group I get the following error.
    >
    > ***Call Modify...
    >
    > ldap_modify_ext_s(ld,
    > 'CN=MyTestGroup\0ADEL:e9901a47-182e-41e8-b025-888d9e7c5f7a,CN=Deleted
    > Objects,DC=mydom,DC=com,DC=au',[2] attrs, SvrCtrls, ClntCtrls);
    >
    > Error: Modify: Unwilling To Perform. <53>
    >
    > Server error: 0000001F: SvcErr: DSID-031A0FBC, problem 5003
    > (WILL_NOT_PERFORM), data 0
    >
    > I found an article on movetree where by case sensitivity was an issue,
    > however this did not help when tested.
    >
    > I have not been able find any references in technet for this error.
    >
    > Any suggestions and explanations will be welcome.
    >
    > Thanks,
    >
    > Eric Ayre
    >
    > --
    > NTBugtraq Editor's Note:
    >
    > Most viruses these days use spoofed email addresses. As such, using an
    Anti-Virus product which automatically notifies the perceived sender of a
    message it believes is infected may well cause more harm than good. Someone
    who did not actually send you a virus may receive the notification and
    scramble their support staff to find an infection which never existed in the
    first place. Suggest such notifications be disabled by whomever is
    responsible for your AV, or at least that the idea is considered.
    > --
    > 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: Joe Dance: "MS Updates SP1 for Windows Server 2003"