commvault.com commvault.com
Solved

View Active Directory attribute 'ms-MCs-AdmPwd' (LAPS) without restoring it

  • 4 March 2021
  • 8 replies
  • 1700 views
R
Rank
Badge +1

Hi community,

Does anyboby know if it is possible to view the content of an Active Directory attribute without the need of restoring it?

In our special case sometimes it is neccessary to get an expired Local administor password. Local administrator passwords are created with LAPS.

Thank you.

Regards

Robert

icon

Best answer by Robert 8 March 2021, 10:35

View original

8 replies

dude
Rank
Badge +15

I highly doubt that this is possible since this would present security issues around the CV potentially allowing other users (non admins) to view content of a backup. It just doesn`t make sense to me.

In addition to that, from reading the documentation, it doesnt seem like Commvault actually backups up the password, instead the pwd attribute is part of a unicodepwd attribute that is restored with the deleted account from tombstone.

Please refer to 

Restoring User Accounts and Passwords

Damian Andre
Rank
Userlevel 7
Badge +23

Hi community,

Does anyboby know if it is possible to view the content of an Active Directory attribute without the need of restoring it?

In our special case sometimes it is neccessary to get an expired Local administor password. Local administrator passwords are created with LAPS.

Thank you.

Regards

Robert

Hey @Robert - I’ve been rattling my brain to figure out a way to do this, but I don’t think there is an easy way. The only thing I can think of is using block level backups for the domain controller, and then some how mounting the snap to use some AD tools on the ntds database to view attributes.

 

I can’t recall if there is a manual mount option for the block level snap so you can view the data without restoring … checking on my end.

Damian Andre
Rank
Userlevel 7
Badge +23

 

In addition to that, from reading the documentation, it doesnt seem like Commvault actually backups up the password, instead the pwd attribute is part of a unicodepwd attribute that is restored with the deleted account from tombstone.

Please refer to 

Restoring User Accounts and Passwords

You are right for regular account passwords (if you choose to NOT modify the scheme so we can protect it), but this is a different attribute. The scheme is extended to store a password that the client uses to pull from AD and set the local admin password. So I suspect the attribute will visible like any other AD object. I do wonder if the password is encrypted though, so even if you got access it may not be usable.

R
Rank
Badge +1

Hi all,

I talked to the support as well. They give me the following feedback:

“As of now we dont have an option. But we have this fearure implemented in furture releases”

“No ETA, the development team is working on it and have this sorted soon“

Regards

Robert

F
Rank
Badge

Hi all,

Any news in this topic ?

Has this feature been implemented yet ? If so in which versio/release ?

 

Thank you,

Frank

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

@Frankj , I’ll see if I can track down a CMR number, since I’m not able to find any case in @Robert ‘s name.

Adding in, I found a case that referenced this thread which was solved by this:

Please test a backup with the Domain Admin account and let me know the browse results. 

Can you try that and see if the browse works for you as well?

https://www.linkedin.com/in/michael-struening
F
Rank
Badge

@Mike Struening Thanks for your response. We will solve it by exporting the passwords by script and store them into a password vault. But I keep interested in Commvault solutions to it.

Actualy we don’t have Active directory backup configured with Commvault so I can’t quickly test it, sorry.

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

Understood.  Glad you at least have a workaround/solution you can utilize!

https://www.linkedin.com/in/michael-struening

Reply


Terms & ConditionsCookie settings