Skip to main content
Solved

How can we restore AD objects and retain their password?


Forum|alt.badge.img+13

To recover the AD password we need to do to run “adLdapTool.exe” before taking backup as per below link but we have daily AD backups are already running and now we need to take backup of AD users with password? how can we do that? 

 

https://documentation.commvault.com/v11/essential/14429_enabling_ability_to_restore_passwords.html

Best answer by Allan0105

Mike Struening wrote:

@Allan0105 , are you asking if this is something to do every time?

This is something you only need to do the first time.

We don’t back up the password.  This lets the password go to the AD recycling bin and come back when we restore the account and the SID matches (this is why you need SID history too).  If you don't have SID history when you restore the account it gets a new SID, if it gets a new SID, it can not reattach the password from AD recycle bin.

To perform these steps manually instead of using the ADLDAPTool, here is the procedure:

Use ADSIEdit to load up the schema and change the following:

For search flags, change the value for CN=unicode-pwd from 0 to 8
CN=Unicode-Pwd, CN=Schema,CN=Configuration,…< rest of domain >

For search flags, change the value for CN=SID-History from 1 to 9
CN=SID-History, CN=Schema,CN=Configuration,…< rest of domain >

Let me know if this helps!

Thanks Mike, daily AD backups are configured and already running. we just need to run the ADLDAPTool once and run the next full ? or something else need to be taken care. 

View original
Did this answer your question?

4 replies

Mike Struening
Vaulter
Forum|alt.badge.img+23

@Allan0105 , are you asking if this is something to do every time?

This is something you only need to do the first time.

We don’t back up the password.  This lets the password go to the AD recycling bin and come back when we restore the account and the SID matches (this is why you need SID history too).  If you don't have SID history when you restore the account it gets a new SID, if it gets a new SID, it can not reattach the password from AD recycle bin.

To perform these steps manually instead of using the ADLDAPTool, here is the procedure:

Use ADSIEdit to load up the schema and change the following:

For search flags, change the value for CN=unicode-pwd from 0 to 8
CN=Unicode-Pwd, CN=Schema,CN=Configuration,…< rest of domain >

For search flags, change the value for CN=SID-History from 1 to 9
CN=SID-History, CN=Schema,CN=Configuration,…< rest of domain >

Let me know if this helps!


Forum|alt.badge.img+13
  • Author
  • Byte
  • 115 replies
  • Answer
  • July 21, 2022
Mike Struening wrote:

@Allan0105 , are you asking if this is something to do every time?

This is something you only need to do the first time.

We don’t back up the password.  This lets the password go to the AD recycling bin and come back when we restore the account and the SID matches (this is why you need SID history too).  If you don't have SID history when you restore the account it gets a new SID, if it gets a new SID, it can not reattach the password from AD recycle bin.

To perform these steps manually instead of using the ADLDAPTool, here is the procedure:

Use ADSIEdit to load up the schema and change the following:

For search flags, change the value for CN=unicode-pwd from 0 to 8
CN=Unicode-Pwd, CN=Schema,CN=Configuration,…< rest of domain >

For search flags, change the value for CN=SID-History from 1 to 9
CN=SID-History, CN=Schema,CN=Configuration,…< rest of domain >

Let me know if this helps!

Thanks Mike, daily AD backups are configured and already running. we just need to run the ADLDAPTool once and run the next full ? or something else need to be taken care. 


Mike Struening
Vaulter
Forum|alt.badge.img+23

Correct.  You’ll need to run that tool and all backups after its run will be able to restore the password.


Forum|alt.badge.img+13
  • Author
  • Byte
  • 115 replies
  • July 21, 2022
Mike Struening wrote:

Correct.  You’ll need to run that tool and all backups after its run will be able to restore the password.

Thanks Mike as always, 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings