Reverting Large Scale Changes with Change Auditor and Recovery Manager for Active Directory

 For most circumstances using Recovery Manager for Active Directory to revert changes made to Active Directory is pretty simple. If we need to revert a group's membership, we just search for the group from the selected backup and restore it from an appropriate backup.

But what if the changes that need to be reverted are considerably more complex? What if they span hundreds of changes across dozens of Organizational Units?

This can be an excellent case when Change Auditor for Active Directory can be used to find the changes and export them to a file. Recovery Manager for Active Directory can then import the file and base its restore on that.

Find the Changes to Be Reverted

For instance, let's say that we know that there was a change to the identity management software during a specific change window that caused it to erroneously remove large amounts of users from groups that it had under management.

We could do a comparison report using Recovery Manager for Active Directory and have it restore all group memberships to their state as of the last backup. But this would also rollback any valid changes that were made between the time of the backup and the time of the change, both manually and by the identity management system.

Instead, let's use Change Auditor to find the changes to Active Directory that need to be reverted. Change Auditor can search on a wide variety of criteria and combine those criteria together to really narrow down the results.

Create a new search in Change Auditor.

Add the identity management account in the Who tab.

Since we are only interested in changes to groups, in the What tab add the Group member added and Group member removed events:

And finally, in the When tab we restrict it to the change window time-frame:

We need to add one extra column to the search results to get the data that we need to feed into Recovery Manager for Active Directory.

Click the Layout tab, and scroll on the left until we find "Object DN". Add that to the Selected Columns list:

When we execute the search, we will get a result that looks like this:

This looks good.

Now, click "Print to File" and select "CSV" as the file format.

Transforming the File

The file that Change Auditor exports will be in comma separated value format, and include a lot of information that Recovery Manager for Active Directory doesn't need. In fact, the only thing that Recovery Manager does need is a list of Distinguished Names.

To separate out this information, let's open the file using a spreadsheet program like Microsoft Excel.

Select all of the data from the Distinguished Name column, copy it, and paste it into a new sheet.

Then go to File, Export, then Change File Type. Choose Formatted Text, which will save the sheet as a ".prn" file. Change the file extension to ".txt"

We now have a list of objects that we can feed into Recovery Manager for Active Directory.

Recovering the Objects

Start the Recovery Manager for Active Directory management console, and select Restore AD Objects Online.

Follow the wizard, and when asked to choose the Objects to be Processed, choose Import… and find the file that we exported earlier.

We now have a list of each object that Change Auditor found, and can continue through the wizard and restore the objects.

Now we have used two great tools together in order to restore functionality from a complex change gone bad: Change Auditor for Active Directory to be able to pinpoint the changes that have occurred, and Recovery Manager for Active Directory to quickly and accurately revert the changes.

Learn more about Active Directory backup and recovery and Active Directory auditing.