authoritative restore & group memberships



An attribute was changed on 1800 users and we thought about trying an
authoritative restore. The old attribute should be restored on all the
objects once that is done.

I was wondering if group memberships would be affected at all. The groups
would not be marked as authoritative.

I saw these articles;en-us;280079#kb2
Authoritative restore of groups can result in inconsistent membership
information across domain controllers
How to restore deleted user accounts and their group memberships in Active

This excerpt from the first article caught my eye

"Note This issue may occur even if the users are authoritatively restored
and the groups are not. If a System State restore is done and only users are
marked as authoritative, their group membership will be restored on the
domain controller that the restore was done on (because the forward links in
the group objects would have been restored in the System State restore). If
the membership of the groups has not changed since the System State backup
was done, no replication for the groups will be done after the restore. This
results in inconsistent group membership between domain controllers. Changing
the membership to the group on one domain controller will replicate the
current contents of that group on that domain controller to the other domain
controllers. "

So will the group memberships be inconsistent?


Mark-Allen Perry

Just a short note: wouldn't it be better to write a small vbs script that
uses LDAP to go through your AD and reverts back the value of that
attribute. The scripts are pretty easy to write and there are hundreds
available. I've done this dozens of times to manage users in my AD.

BTW, which container and attribute got changed?

Just a thought.


Hi Mark,

Yes the script of ADModify would have worked for most of the changes. What
happened here was that someone rebuilt the RUS and it set new primary e-mail
address for the users. We wanted to revert back to the old primary and our
users have different formats for their addresses (depending on what company
they work for)


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question