Active Directory Attributes Not Restored

There are many attributes of objects that are read-only because they are controlled by Active Directory and cannot be restored to a previous value. The entire list of AD attributes is documented by Microsoft in this article. Attributes that cannot be restored are listed with an Update Privilege of “This value is set by the system”. For example, Bad-Password-Time is managed by AD and cannot be individually restored.

Entry

Value

CN

Bad-Password-Time

Ldap-Display-Name

badPasswordTime

Size

8 bytes

Update Privilege

This value is set by the system.

Update Frequency

Each time the user enters a bad password.

Attribute-Id

1.2.840.113556.1.4.49

System-Id-Guid

bf96792d-0de6-11d0-a285-00aa003049e2

Syntax

Interval

Other examples of system managed attributes include LastLogoff, LastLogon, and USNChanged.

Some system attributes are an integral part of the object’s identity and security context such as ObjectGUID, ObjectSid, and DistinguishedName. While these are read-only attributes managed by the system, Active Directory maintains them in the object tombstone when deleted so they can be recovered along with the object. For more information about Active Directory prerequisites, see System Requirements for Active Directory and Additional Requirements for Active Directory.

Passwords and SIDHistory are more sensitive and require additional configuration to maintain in the object tombstone as described in Enabling the Ability to Restore Passwords and SIDHistory for Active Directory.

The backup and restore of Active Directory computer objects that contain BitLocker recovery keys is also supported. To recover the BitLocker recovery keys, the computer object must be restored. It is not recommended to recover a computer object from a backup that is older than the computer object’s pwdLastSet date.

Loading...