All,
Thanks for your responses.
Microsoft have confirmed an issue restoring security groups from deleted
objects. See Microsoft article http://support.microsoft.com/?kbid=830769
applying the available patch corrected the problem.
Eric Ayre
-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Johny Wishbone
Sent: Friday, 15 April 2005 4:29 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Restoring deleted security groups in AD
Ensure that you have permissions on the source and destination domains
to complete the move. The following error message is logged in the
MoveTree.err file if you have insufficient permissions:
Error: 0x2098 Insufficient Access Rights to perform the operation.
MoveTree cross domain move failed. The extended error is 00002098:
SrcErr:DSID-0031B02E2, problem 5003 (WILL_NOT_PERFORM), data 0
. Use quotation marks for parameters with spaces.
. Use all lowercase letters when designating the source and
destination subtree root domain names. If you use uppercase letters,
the following error message is logged in the MoveTree.err file:
Error: 0x20e4 The Naming Context could not be found.
MoveTree cross domain move failed.
The extended error is 0000020e4: SvcErr: DSID-031B02E2, problem 5003
(WILL_NOT_PERFORM), data 0
This is from http://support.microsoft.com/?kbid=238394
On 4/12/05, Eric Ayre <era@bigpond.com> wrote:
Hello,
I have been investigating the restoration process for deleted objects in
AD
in response to the situation where by if you remove IIS from a domain the
group IIS_WPG gets removed despite the existence of other IIS servers and
other accounts in this group. Although the problem is fixed in 2003 SP1,
there is a concern that some one will bring up a standard DC with IIS
installed then decide to remove IIS as this is not required.
I have been following MS article, 840001 "How to restore deleted user
accounts and their group memberships in Active Directory", specifically
the
section on "How to manually undelete objects in a deleted object's
container" as an authoritative restore is viewed as taking too long.
Problem
I can restore a deleted user account and a distribution group when I
attempt
a security group I get the following error.
***Call Modify...
ldap_modify_ext_s(ld,
'CN=MyTestGroup\0ADEL:e9901a47-182e-41e8-b025-888d9e7c5f7a,CN=Deleted
Objects,DC=mydom,DC=com,DC=au',[2] attrs, SvrCtrls, ClntCtrls);
Error: Modify: Unwilling To Perform. <53>
Server error: 0000001F: SvcErr: DSID-031A0FBC, problem 5003
(WILL_NOT_PERFORM), data 0
I found an article on movetree where by case sensitivity was an issue,
however this did not help when tested.
I have not been able find any references in technet for this error.
Any suggestions and explanations will be welcome.
Thanks,
Eric Ayre
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone
who did not actually send you a virus may receive the notification and
scramble their support staff to find an infection which never existed in the
first place. Suggest such notifications be disabled by whomever is
responsible for your AV, or at least that the idea is considered.
--
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an
Anti-Virus product which automatically notifies the perceived sender of a
message it believes is infected may well cause more harm than good. Someone who
did not actually send you a virus may receive the notification and scramble
their support staff to find an infection which never existed in the first
place. Suggest such notifications be disabled by whomever is responsible for
your AV, or at least that the idea is considered.
--
