Tuesday, November 4, 2014

Securing your Active Directory data before FIM exports

When implementing FIM 2010 at customers, I like to do my own simple backup of the Active Directory objects that FIM is about to touch or change. Of course, you should have your normal Active Directory backup is place as well, but having my copy of  the attribute values allow me to do restore or "roll back" of selected attributes if so needed.

Also, I have a few customers that use these scripts on a scheduled basis to just keep track of changes in Active Directory or even backup before another implementor is allowed to add or change data in their directory.

I have two scripts - a backup script and a restore script.

Backing up

The backup script basically reads the objects that I want to backup from Active Directory and saves these objects in XML files - one file for each object, typically users and groups. The script takes two parameters, the LDAP filter and the backup directory where you want to save the XML files. So to backup all users with accountname starting with A, use the script like this -

.\backup-object.ps1 -filter '&(objectclass=user)(samaccountname=a*))' -backupdir 'c:\adbackup'


If at sometime, you would want to restore any attributes on any of the backed up Active Directory objects, you can use the restore script. The restore script takes two parameters as well, a list of attributes that you want restore and a path to the backup directory containing the XML files that you previously backuped up.

The restore script expects you to feed it the usernames of the users to restore through the pipeline. So to restore the 'givenName' and 'sn' attributes on Bill Gates and Steve Ballmer, use the restore script like this -

"billg", "steveb" | .\restore-object.ps1 -attributes 'givenName', 'sn' -backupdir 'c:\adbackup'

If you want the scripts, you can get them here.

No comments: