You must run the adLdapTool.exe on the client computer before you perform your first backup to enable restores of passwords for users and computers.
The adLdapTool sets the following values to the searchFlags attributes of Unicode-Pwd and SID-History found under CN=Schema and Cn=Configuration:
-
Value for Unicode-Pwd: 0x00000008
-
Value for SID-History: 0x00000009
Due to this setting, Active Directory will preserve these two attributes on deletion.
Note
If the unicodepwd attribute is preserved, you can restore the last stored password before the user was deleted. Point-in-time restores are not supported as the password is not stored in Commvault backup operations. For more information, see Microsoft article unicodePwd.
Before You Begin
Verify that you have credentials for a user account that has administrative privileges for the domain and Active Directory Schema.
Procedure
-
Log on to the server using the user account that has administrative privileges.
-
On the command line, go to software_installation_directory/Base, and then type the following command:
adLdapTool.exe <domain_name\domain_administrator_user_name> <password> -hostserver <fully_qualified_directory_host_server_name> -port <LDAP_port_number, default 389> -setschema 1