There are many attributes of objects that are read-only because they are controlled by Active Directory and cannot be restored to a previous value. The entire list of AD attributes is documented by Microsoft in this article. Attributes that cannot be restored are listed with an Update Privilege of “This value is set by the system”. For example, Bad-Password-Time is managed by AD and cannot be individually restored.
Entry |
Value |
---|---|
CN |
Bad-Password-Time |
Ldap-Display-Name |
badPasswordTime |
Size |
8 bytes |
Update Privilege |
This value is set by the system. |
Update Frequency |
Each time the user enters a bad password. |
Attribute-Id |
1.2.840.113556.1.4.49 |
System-Id-Guid |
bf96792d-0de6-11d0-a285-00aa003049e2 |
Syntax |
Interval |
Other examples of system managed attributes include LastLogoff, LastLogon, and USNChanged.
Some system attributes are an integral part of the object’s identity and security context such as ObjectGUID, ObjectSid, and DistinguishedName. While these are read-only attributes managed by the system, Active Directory maintains them in the object tombstone when deleted so they can be recovered along with the object. For more information about Active Directory prerequisites, see System Requirements for Active Directory and Additional Requirements for Active Directory.
Passwords and SIDHistory are more sensitive and require additional configuration to maintain in the object tombstone as described in Enabling the Ability to Restore Passwords and SIDHistory for Active Directory.
The backup and restore of Active Directory computer objects that contain BitLocker recovery keys is also supported. To recover the BitLocker recovery keys, the computer object must be restored. It is not recommended to recover a computer object from a backup that is older than the computer object’s pwdLastSet date.