To recover the AD password we need to do to run “adLdapTool.exe” before taking backup as per below link but we have daily AD backups are already running and now we need to take backup of AD users with password? how can we do that?
https://documentation.commvault.com/v11/essential/14429_enabling_ability_to_restore_passwords.html
Best answer by Allan0105
This is something you only need to do the first time.
We don’t back up the password. This lets the password go to the AD recycling bin and come back when we restore the account and the SID matches (this is why you need SID history too). If you don't have SID history when you restore the account it gets a new SID, if it gets a new SID, it can not reattach the password from AD recycle bin.
To perform these steps manually instead of using the ADLDAPTool, here is the procedure:
Use ADSIEdit to load up the schema and change the following:
For search flags, change the value for CN=unicode-pwd from 0 to 8
CN=Unicode-Pwd, CN=Schema,CN=Configuration,…< rest of domain >
For search flags, change the value for CN=SID-History from 1 to 9
CN=SID-History, CN=Schema,CN=Configuration,…< rest of domain >
Let me know if this helps!
Thanks Mike, daily AD backups are configured and already running. we just need to run the ADLDAPTool once and run the next full ? or something else need to be taken care.
+23This is something you only need to do the first time.
We don’t back up the password. This lets the password go to the AD recycling bin and come back when we restore the account and the SID matches (this is why you need SID history too). If you don't have SID history when you restore the account it gets a new SID, if it gets a new SID, it can not reattach the password from AD recycle bin.
To perform these steps manually instead of using the ADLDAPTool, here is the procedure:
Use ADSIEdit to load up the schema and change the following:
For search flags, change the value for CN=unicode-pwd from 0 to 8
CN=Unicode-Pwd, CN=Schema,CN=Configuration,…< rest of domain >
For search flags, change the value for CN=SID-History from 1 to 9
CN=SID-History, CN=Schema,CN=Configuration,…< rest of domain >
Let me know if this helps!
This is something you only need to do the first time.
We don’t back up the password. This lets the password go to the AD recycling bin and come back when we restore the account and the SID matches (this is why you need SID history too). If you don't have SID history when you restore the account it gets a new SID, if it gets a new SID, it can not reattach the password from AD recycle bin.
To perform these steps manually instead of using the ADLDAPTool, here is the procedure:
Use ADSIEdit to load up the schema and change the following:
For search flags, change the value for CN=unicode-pwd from 0 to 8
CN=Unicode-Pwd, CN=Schema,CN=Configuration,…< rest of domain >
For search flags, change the value for CN=SID-History from 1 to 9
CN=SID-History, CN=Schema,CN=Configuration,…< rest of domain >
Let me know if this helps!
Thanks Mike, daily AD backups are configured and already running. we just need to run the ADLDAPTool once and run the next full ? or something else need to be taken care.
+23Correct. You’ll need to run that tool and all backups after its run will be able to restore the password.
Correct. You’ll need to run that tool and all backups after its run will be able to restore the password.
Thanks Mike as always,
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
