Almost month without a post … time to get to work. BTW – it is a little strange but more people are visiting this place (according to statistics gathered from the blog) now then in the time when I've posted more often. If I will stop blogging will I get massive visit hit??? π
Every day You can learn something new about old things – in this case ADSIEdit and new at least for me. During one of my last trips to customer I had talk with customer sys admin about usage of LVR and need of previously created group to be refreshed (I wrote about it some time ago). He mentioned, that during AD Disaster Recovery training some of MS folks mentioned that instead of using LDIF files or backup You can "tweak something" on one of attributes and get the same result – group membership will be refreshed.
I've never heard of so I asked my colleague from MCS Poland who has more experience and more years with AD in CV :). He recalled that this is something with ADSIEdit behavior … nothing more left to do then just check it.
OK – so lets open ADSIEdit, find some group object -> right click -> Properties -> navigate to member attribute … and here comes the trick. Open this attribute using Edit button, do not change anything and close with OK (this is important, not Cancel). Then just close object properties using OK once again.
If you will check Your event log then You can notice something similar to this sequence:
Event Type: Success Audit
Description:
Security Enabled Global Group Changed:
Target Account Name: GrupaTestowa
ββββββββββββββββββββββββ
Event Type: Success Audit
Event ID: 633
Security Enabled Global Group Member Removed:
Member Name:
Member ID: W2K\user2
Target Account Name: GrupaTestowa
ββββββββββββββββββββββββ
Event Type: Success Audit
Event ID: 633
Description:
Security Enabled Global Group Member Removed:
Member Name:
Member ID: W2K\user1
Target Account Name: GrupaTestowa
ββββββββββββββββββββββββ
Event Type: Success Audit
Event ID: 632
Description:
Security Enabled Global Group Member Added:
Member Name: CN=user2,OU=Employees,DC=w2k,DC=pl
ββββββββββββββββββββββββ
Event Type: Success Audit
Event ID: 632
Description:
Security Enabled Global Group Member Added:
Member Name: CN=user,OU=Employees,DC=w2k,DC=pl
Yes, all members of the group (in this case 2 of them) were removed and then added back again. If You will remove single member You will see that all of them were removed, but then all except the one You have removed got added again.
I know that this might be widely known but as I said – I didn't knew that ADSEdit behaves like that. Maybe because this is not my first tool of choice when it comes to group management – in most cases I use scripts or tools like ADMod (if not GUI from ADU&C).
So … be careful if You are looking at members of a group with ADSIEdit. Using OK button might do something which You were not expecting :).