Announcement

Collapse
No announcement yet.

Is it possible to change the creation date of an AD object?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is it possible to change the creation date of an AD object?

    I need to change the creation date of a security group which I forgot to create three months ago. I need to show it was created then or else we have to get our systems audited again- and I don't think I'll be anyone's friend if that happens. Thanks.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: Is it possible to change the creation date of an AD object?

    You made a mistake - take responsibility for it and move on.
    Last edited by Stonelaughter; 4th September 2008, 10:03.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Is it possible to change the creation date of an AD object?

      lol Stone,

      Do you have any groups that were deleted three months ago? If so you can tombstone restore them and then rename to get by.

      Comment


      • #4
        Re: Is it possible to change the creation date of an AD object?

        you can change the Object creation date using ADSIEDIT.
        goto the object properties and change the "whenCreated" field to your desired date.

        Comment


        • #5
          Re: Is it possible to change the creation date of an AD object?

          Originally posted by Akila View Post
          you can change the Object creation date using ADSIEDIT.
          goto the object properties and change the "whenCreated" field to your desired date.
          System attributes cannot be modifed.

          Comment


          • #6
            Re: Is it possible to change the creation date of an AD object?

            Originally posted by Meekrobe View Post
            System attributes cannot be modifed.
            I tested it before I posted , so it could be done.

            Comment


            • #7
              Re: Is it possible to change the creation date of an AD object?

              Originally posted by Akila View Post
              I tested it before I posted , so it could be done.
              Odd, so did I.

              Comment


              • #8
                Re: Is it possible to change the creation date of an AD object?

                Just a reminder from your friendly moderator that this thread is being watched before it degenerates into the "did...did not" argument beloved by 5-year-olds everywhere

                JD -- what is the Domain and Forest functional level?
                Akila, Meekrobe, the same -- that may make the difference

                Stonelaughter, I appreciate what you are trying to say (and I would probably say something similar myself), but could you please consider a little more tact and diplomacy in your comment!
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: Is it possible to change the creation date of an AD object?

                  In our lab I tried it with windows 2000 forest mode and windows 2000 mixed mode.
                  Although I can change the setting via adsiedit I cannot click apply.

                  When I click apply:
                  The attribute cannot be modified because it is owned by the system.

                  Edit: the same with forest level windows 2003 and domain 2003 native mode.

                  @Akila,
                  Have you clicked on apply when you had changing the date?

                  So @TS,
                  I think you should take your responsibility and oh well, everyone can make a mistake
                  Last edited by Dumber; 4th September 2008, 10:01.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Is it possible to change the creation date of an AD object?

                    Thanks guys for your input and Tom no offence taken at the StoneNotSoFunny comment- everyone needs a wack sometimes!

                    Anyhow, Akila was on the right track, but the error "System attributes cannot be modifed" is a default error which appears on all *unmodified* DCs. Using this info, I did a google and found the following, working () solution:

                    Login as a member of Schema Admins (preferably on the Schema Master FSMO)

                    Launch LDP.EXE

                    Connect to the Schema Master FSMO using LDP.EXE

                    Bind to the Schema Master using an account with Schema Admin permissions.

                    From the Browse menu, choose Modify

                    In the Modify dialog box, leave the DN field blank, and type schemaUpgradeInProgress in the Attribute field. In the Value field, enter the number 1. Click the Enter button, then click the Run button.

                    Close the Modify dialog box.

                    Launch ADSIEDIT.MSC and modify the mAPIID values for the necessary attributes. (You may need to wait for the Active Directory to replicate.)

                    Run LDP again, and change the value of schemaUpgradeInProgress from 1 to 0.

                    From the Active Directory Schema console, right click on the console and choose "Reload the Schema"
                    I now have two back-dated groups!!

                    Windows 2003 Server SP2, Functional Level = Windows Server 2003.
                    |
                    +-- JDMils
                    |
                    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                    |

                    Comment


                    • #11
                      Re: Is it possible to change the creation date of an AD object?

                      Doing things like this is DANGEROUS and could have caused you more problems than just admitting your mistake.

                      I stand by the spirit of my original comment; the professional, proper, right, and respect-earning way to deal with this would have been to stand up and take responsibility for your mistake. You most certainly earn zero respect from me for the approach you have taken.


                      Tom
                      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                      Anything you say will be misquoted and used against you

                      Comment


                      • #12
                        Re: Is it possible to change the creation date of an AD object?

                        Can you tell what the source is?
                        Marcel
                        Technical Consultant
                        Netherlands
                        http://www.phetios.com
                        http://blog.nessus.nl

                        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                        "No matter how secure, there is always the human factor."

                        "Enjoy life today, tomorrow may never come."
                        "If you're going through hell, keep going. ~Winston Churchill"

                        Comment


                        • #13
                          Re: Is it possible to change the creation date of an AD object?

                          I think this is the source JDMils used:
                          - http://mostlyexchange.blogspot.com/2...e-details.html
                          Or
                          - http://www.experts-exchange.com/Soft..._23134578.html

                          JDMils by providing your source, you give credit where credit is due,
                          and... also there might be some more, relevant and important information there we should read about.

                          In the 2nd link there is also an other quicker solution
                          Originally posted by sekhar_kiit

                          Copyright Experts Exchange LLC 2008. All rights reserved.
                          JDMils, you realize that these kind of activities can only make things much and much worser for you, your job and reputation is at stake.

                          \Rems
                          Last edited by Rems; 5th September 2008, 10:56.

                          This posting is provided "AS IS" with no warranties, and confers no rights.

                          __________________

                          ** Remember to give credit where credit's due **
                          and leave Reputation Points for meaningful posts

                          Comment


                          • #14
                            Re: Is it possible to change the creation date of an AD object?

                            Thanks guys for your comments. I understand what you are saying, but I feel that changing the creation date on an AD object is well within the limits of do-able approach for which I have been given the ability to change a property using standard methods provided by the manufacturer.

                            I understand that if it involved a hack which was not provided by the manufacturer then yes it would be a moral dilema. But it is not.

                            We could align these arguments on the ability to change the creation date of a folder or file. Irrespetive of the reason for why it needs to be done, it can be done and within a given set of paramters which were provided by the manufacturer. I know that AD objects are not the same as file objects, but they all have properties and one must consider the dangers involved in changing a property of an object. For example, changing the date on a file or folder could just as well have a disastrous affect on other systems- but it is not frowned upon because it CAN be done easily.

                            I have considered the changes to the AD group to be a low-risk change and perfectly legal in which it was done and thus viable in my situation. I did not have to explain why I wanted to do what I wanted, but I did. I thank you for your warnings, but the information was provided by the manufacturer based on the fact that the end user would have to consider the dangers.
                            |
                            +-- JDMils
                            |
                            +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
                            |

                            Comment


                            • #15
                              Re: Is it possible to change the creation date of an AD object?

                              For me, it wasn't what you did, but the reason you gave; to get yourself out of the cack. So you took a risk (however small) with your employer's AD system for a personal and unprofessional reason.

                              Nuff said.


                              Tom
                              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                              Anything you say will be misquoted and used against you

                              Comment

                              Working...
                              X