Comprehensive data protection for all workloads
Post Reply
rreed
Expert
Posts: 354
Liked: 72 times
Joined: Jun 30, 2015 6:06 pm
Contact:

Restore AD User/Group Based on SID?

Post by rreed » Sep 08, 2016 3:52 pm

Morning, everyone. Is it possible, and if so how please, do restore an AD user or group when you only have the SID? We found some stuff relying on a user and/or group that got deleted during an audit search and destroy but we're not sure which of the pile of users/groups the service needs. It only gives us the SID.
VMware 6
Veeam B&R v9
Dell DR4100's
EMC DD2200's
EMC DD620's
Dell TL2000 via PE430 (SAS)

JaxIsland7575
Veeam Vanguard
Posts: 385
Liked: 104 times
Joined: Apr 27, 2015 1:59 pm
Full Name: Ryan Jacksland
Location: NY, USA
Contact:

Re: Restore AD User/Group Based on SID?

Post by JaxIsland7575 » Sep 08, 2016 4:00 pm

I do not know of a way to restore with the SID, but is there a workstation or server that the deleted user logged into still around? The registry probably still has a copy of the SID in the Profile section.
VMCE v9

rreed
Expert
Posts: 354
Liked: 72 times
Joined: Jun 30, 2015 6:06 pm
Contact:

Re: Restore AD User/Group Based on SID?

Post by rreed » Sep 08, 2016 4:08 pm

Just confirmed it will be a group that has been deleted.
VMware 6
Veeam B&R v9
Dell DR4100's
EMC DD2200's
EMC DD620's
Dell TL2000 via PE430 (SAS)

Kostya
Veeam Software
Posts: 104
Liked: 28 times
Joined: Jun 18, 2012 9:38 am
Full Name: Kostya Yasyuk
Contact:

Re: Restore AD User/Group Based on SID?

Post by Kostya » Sep 08, 2016 8:18 pm

rreed wrote:Just confirmed it will be a group that has been deleted.
reed, so you would like to restore a group and all you have is a SID of this group? Correct?

rreed
Expert
Posts: 354
Liked: 72 times
Joined: Jun 30, 2015 6:06 pm
Contact:

Re: Restore AD User/Group Based on SID?

Post by rreed » Sep 08, 2016 8:29 pm

Yes, correct.
VMware 6
Veeam B&R v9
Dell DR4100's
EMC DD2200's
EMC DD620's
Dell TL2000 via PE430 (SAS)

tsightler
VP, Product Management
Posts: 5381
Liked: 2214 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Restore AD User/Group Based on SID?

Post by tsightler » Sep 08, 2016 9:56 pm 3 people like this post

So I don't know if there's an easier way, but I had a user with a similar requirement some time ago and found it to be much more difficult than I expected. Obviously if you haven't made a ton of changes the easiest thing to do is leverage the "Show changed objects only" feature and work through the groups, viewing the attributes of each, which include the objectSid, until you find the one you're looking for. But of course, if you happen to have recently deleted a lot of groups or your have a big AD, there might be lots of changes to sift through so it could still take a while.

My first thought when I was presented with this issue was "hmm...no big deal, I'll just use the LDAP search feature in AD Explorer to search for the SID!" So off I went and clicked the LDAP search button and entered an LDAP filter with my SID into the search box:

Code: Select all

(objectSid=S-1-5-21-1643031432-1003693700-4023357673-5613)
But it didn't work, nothing found. After about 5 seconds of thinking about it, I realized why, the SID isn't stored in AD using the user friendly format above (as much as that's user friendly), but rather as a hexadecimal string. I've run across this issue in a previous life when trying to manipulate a bunch of Exchange objects in Powershell, so a quick Google search and I found some simple Powershell code to convert the user friendly SID string into a hex string, but it produced output like this :

Code: Select all

01 05 00 00 00 00 00 05 15 00 00 00 88 AB EE 61 84 26 D3 3B E9 90 CF EF ED 15 00 00
This wasn't quite perfect for an LDAP filter so I modified the script very slightly (and crudely) to give this output instead:

Code: Select all

\01\05\00\00\00\00\00\05\15\00\00\00\88\AB\EE\61\84\26\D3\3B\E9\90\CF\EF\ED\15\00\00
So now we're cooking with gas! Since we now have the hex string of the SID we can finally leverage the "Use LDAP Filter" option in AD Explorer, just make sure that button is selected (clicking it toggles the LDAP filter search on and off) and pop in the following into the search box (obviously substituting your own SID hex string generated by the Powershell script):

Code: Select all

(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\88\AB\EE\61\84\26\D3\3B\E9\90\CF\EF\ED\15\00\00)
And there's the magic! We found an object by searching for the SID using Veeam AD Explorer LDAP Filter capability! I really hope there's not some super simple way that I overlooked, because otherwise I did a lot of work for nothing (OK, actually it was only like 5-10 minutes of Googling and hacking around on a script, but I'll pretend like that was a lot of work). In my case the customer had a huge AD and had several hundred groups with changes since their last AD backup so my 5-10 minutes was still a huge time saver for them.

Below is the Powershell script, it prompts for a SID, which it expects in the standard format, and spits out the HEX string, all formatted for use in an LDAP filter. Credit for the script goes to http://poshcode.org/2038 because that's where I found it and I only modified it very slightly to change the output for use with an LDAP filter.

If you don't happen to want to use the Powershell script, there's a simple tool called SID Translator over at codeplex that does the same thing, but it produces output with spaces instead of backslashes, so you'd have to do a little search and replace on the string before you could use it as an LDAP search.

Code: Select all

$sidstring = Read-Host -Prompt 'Please enter SID String'
 
# Create SID .NET object using SID string provided
$sid = New-Object system.Security.Principal.SecurityIdentifier $sidstring
 
# Create a byte array of the proper length
$sidBytes = New-Object byte[] $sid.BinaryLength
 
#Convert to bytes
$sid.GetBinaryForm( $sidBytes, 0 )
 
# Iterate through bytes, converting each to the hexidecimal equivalent
$hexArr = $sidBytes | ForEach-Object { $_.ToString("X2") }
 
# Join the hex array into a single string with \ for use as LDAP filter
$ldapSid = "\" + ($hexArr -join '\')

write-host "HEX SID string is:" $ldapSid

rreed
Expert
Posts: 354
Liked: 72 times
Joined: Jun 30, 2015 6:06 pm
Contact:

Re: Restore AD User/Group Based on SID?

Post by rreed » Sep 09, 2016 1:15 pm

Dang, that's some fancy shootin right there! Well done. And yes, while not quite on the scale of having deleted hundreds of groups or users, we still had to delete a pretty good pile. To that point, I can't see this being a one off or even rare case, audits that require deletion of percieved unused users/groups are commonplace nowadays.

Could we get this added as an expedited straight forward feature request please??
VMware 6
Veeam B&R v9
Dell DR4100's
EMC DD2200's
EMC DD620's
Dell TL2000 via PE430 (SAS)

Kostya
Veeam Software
Posts: 104
Liked: 28 times
Joined: Jun 18, 2012 9:38 am
Full Name: Kostya Yasyuk
Contact:

Re: Restore AD User/Group Based on SID?

Post by Kostya » Sep 13, 2016 3:57 pm 2 people like this post

rreed wrote:Could we get this added as an expedited straight forward feature request please??
Just FYI: Backup 9.5 RTM will support LDAP query in form of "(objectSid=S-1-5-21-1643031432-1003693700-4023357673-5613)"

tsightler
VP, Product Management
Posts: 5381
Liked: 2214 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Restore AD User/Group Based on SID?

Post by tsightler » Sep 13, 2016 5:44 pm

Nice!

Post Reply

Who is online

Users browsing this forum: Google [Bot], Janne.Haatainen and 57 guests