Thursday, May 28, 2009

How to save additional Active Directory attributes and the user password in tombstone objects

Knowing that deleted Active Directory objects are not erased immediately, but only after 60 (Windows 2000/2003) or 180 days (Windows 2003 SP1/2008), can save your day if you accidentally delete user, computer or container objects. …

… A downside of tombstone reanimation is that by default, important attributes are stripped from AD objects when they are deleted. For example, user objects’ last and first name attributes are not saved in tombstone objects. …

… The good news is that you can configure the Active Directory schema to store additional attributes in tombstone objects. The bad news is that the procedure is a bit complicated. 

Source : 4sysops