Restoring Active Directory Attributes with PowerShell - Part 2

On the first article of the series, we used the ntdsutil tool to create, mount, dismount and remove Active Directory snapshots and load the Active Directory database using the dsamain tool. Today, we are going to use a set of PowerShell functions I've created for this purpose. These functions are included in my Active Directory module since version 1.4.1.

Let's start by creating an Active Directory snapshot and then mount it on port 33389:

After taking the snapshot, I updated the first name, last name and proxy addresses attributes on my user in order to compare and later on restore them. Using the "Get-ADUser" cmdlet we can get current the values for those attributes and as well as the values from the snapshot:

As you may notice, a proxy address is missing, the first name has been updated to "Christos 1" and the last name have been updated to "Polydorou 2".

This is how easy it is to restore the attributes! First we save the production and the snapshot users to variables and then we set the values on the attribute we want to restore:

and voila! The attributes have been configured with the correct values.

The "Compare-ActiveDirectorySnapshotObject" function is another function I believe you'll find usefull. It compares the values of all attributes between an object in it's current state and the state is was before the snapshot was taken.

Since the ObjectGUID is the attribute that most probably won't be updated, we are using it to reference the same object.

Since our job is finished, we are going to close the dsamain window in order to unload the database and dismount the snapshot using the "Dismount-ActiveDirectorySnapshot" cmdlet:

The "Get-ActiveDirectorySnapshot" also displays information regarding the mount status of snapshots so you can select the mounted snapshot and get the mount point. I've also removed the snapshot using the "Remove-ActiveDirectorySnapshot" cmdlet.

I would personally recommend having a scheduled task that creates and manages Active Directory snapshots so you can always have a couple of snapshots to work with. Although there is no side effect apart from the disk space a snapshot may consume, I would keep two or three snapshots on a daily basis. This is going to be the topic of the third and last article of the series!

Popular posts from this blog

IIS Client Certificate Revocation Check Disable

How to Configure Message Forwarding on a Mailbox Level

Configuring a Certificate on Exchange Receive Connector