Solved

How can we restore AD objects and retain their password?

  • 21 July 2022
  • 4 replies
  • 874 views

Userlevel 3
Badge +13

To recover the AD password we need to do to run “adLdapTool.exe” before taking backup as per below link but we have daily AD backups are already running and now we need to take backup of AD users with password? how can we do that? 

 

https://documentation.commvault.com/v11/essential/14429_enabling_ability_to_restore_passwords.html

icon

Best answer by Allan0105 21 July 2022, 16:54

View original

4 replies

Userlevel 7
Badge +23

@Allan0105 , are you asking if this is something to do every time?

This is something you only need to do the first time.

We don’t back up the password.  This lets the password go to the AD recycling bin and come back when we restore the account and the SID matches (this is why you need SID history too).  If you don't have SID history when you restore the account it gets a new SID, if it gets a new SID, it can not reattach the password from AD recycle bin.

To perform these steps manually instead of using the ADLDAPTool, here is the procedure:

Use ADSIEdit to load up the schema and change the following:

For search flags, change the value for CN=unicode-pwd from 0 to 8
CN=Unicode-Pwd, CN=Schema,CN=Configuration,…< rest of domain >

For search flags, change the value for CN=SID-History from 1 to 9
CN=SID-History, CN=Schema,CN=Configuration,…< rest of domain >

Let me know if this helps!

Userlevel 3
Badge +13

@Allan0105 , are you asking if this is something to do every time?

This is something you only need to do the first time.

We don’t back up the password.  This lets the password go to the AD recycling bin and come back when we restore the account and the SID matches (this is why you need SID history too).  If you don't have SID history when you restore the account it gets a new SID, if it gets a new SID, it can not reattach the password from AD recycle bin.

To perform these steps manually instead of using the ADLDAPTool, here is the procedure:

Use ADSIEdit to load up the schema and change the following:

For search flags, change the value for CN=unicode-pwd from 0 to 8
CN=Unicode-Pwd, CN=Schema,CN=Configuration,…< rest of domain >

For search flags, change the value for CN=SID-History from 1 to 9
CN=SID-History, CN=Schema,CN=Configuration,…< rest of domain >

Let me know if this helps!

Thanks Mike, daily AD backups are configured and already running. we just need to run the ADLDAPTool once and run the next full ? or something else need to be taken care. 

Userlevel 7
Badge +23

Correct.  You’ll need to run that tool and all backups after its run will be able to restore the password.

Userlevel 3
Badge +13

Correct.  You’ll need to run that tool and all backups after its run will be able to restore the password.

Thanks Mike as always, 

Reply