Enabling the Ability to Restore Passwords

Updated

You must run the adLdapTool.exe on the client computer before you perform your first backup to enable restores of passwords for users and computers.

The adLdapTool sets the following values to the searchFlags attributes of Unicode-Pwd and SID-History found under CN=Schema and Cn=Configuration:

  • Value for Unicode-Pwd: 0x00000008

  • Value for SID-History: 0x00000009

Due to this setting, Active Directory will preserve these two attributes on deletion.

Note: If the unicodepwd attribute is preserved, you can restore the last stored password before the user was deleted. Point-in-time restores are not supported as the password is not stored in Commvault backup operations. For more information, see Microsoft article unicodePwd.

Before You Begin

Verify that you have credentials for a user account that has administrative privileges for the domain and Active Directory Schema.

Procedure

  1. Log on to the server using the user account that has administrative privileges.

  2. On the command line, go to software_installation_directory/Base, and then type the following command:

    adLdapTool.exe <domain_name\domain_administrator_user_name> <password> -hostserver <fully_qualified_directory_host_server_name> -port 389 <LDAP_port_number> -setschema 1