Restore AD User/Group Based on SID?

[rreed]

Morning, everyone. Is it possible, and if so how please, do restore an AD user or group when you only have the SID? We found some stuff relying on a user and/or group that got deleted during an audit search and destroy but we're not sure which of the pile of users/groups the service needs. It only gives us the SID.

[JaxIsland7575]

I do not know of a way to restore with the SID, but is there a workstation or server that the deleted user logged into still around? The registry probably still has a copy of the SID in the Profile section.

[rreed]

Just confirmed it will be a group that has been deleted.

[Kostya]

Just confirmed it will be a group that has been deleted.

reed, so you would like to restore a group and all you have is a SID of this group? Correct?

[rreed]

Yes, correct.

[tsightler]

So I don't know if there's an easier way, but I had a user with a similar requirement some time ago and found it to be much more difficult than I expected. Obviously if you haven't made a ton of changes the easiest thing to do is leverage the "Show changed objects only" feature and work through the groups, viewing the attributes of each, which include the objectSid, until you find the one you're looking for. But of course, if you happen to have recently deleted a lot of groups or your have a big AD, there might be lots of changes to sift through so it could still take a while.

My first thought when I was presented with this issue was "hmm...no big deal, I'll just use the LDAP search feature in AD Explorer to search for the SID!" So off I went and clicked the LDAP search button and entered an LDAP filter with my SID into the search box:

Code: Select all

(objectSid=S-1-5-21-1643031432-1003693700-4023357673-5613)

But it didn't work, nothing found. After about 5 seconds of thinking about it, I realized why, the SID isn't stored in AD using the user friendly format above (as much as that's user friendly), but rather as a hexadecimal string. I've run across this issue in a previous life when trying to manipulate a bunch of Exchange objects in Powershell, so a quick Google search and I found some simple Powershell code to convert the user friendly SID string into a hex string, but it produced output like this :

Code: Select all

01 05 00 00 00 00 00 05 15 00 00 00 88 AB EE 61 84 26 D3 3B E9 90 CF EF ED 15 00 00

This wasn't quite perfect for an LDAP filter so I modified the script very slightly (and crudely) to give this output instead:

Code: Select all

\01\05\00\00\00\00\00\05\15\00\00\00\88\AB\EE\61\84\26\D3\3B\E9\90\CF\EF\ED\15\00\00

So now we're cooking with gas! Since we now have the hex string of the SID we can finally leverage the "Use LDAP Filter" option in AD Explorer, just make sure that button is selected (clicking it toggles the LDAP filter search on and off) and pop in the following into the search box (obviously substituting your own SID hex string generated by the Powershell script):

Code: Select all

(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\88\AB\EE\61\84\26\D3\3B\E9\90\CF\EF\ED\15\00\00)

And there's the magic! We found an object by searching for the SID using Veeam AD Explorer LDAP Filter capability! I really hope there's not some super simple way that I overlooked, because otherwise I did a lot of work for nothing (OK, actually it was only like 5-10 minutes of Googling and hacking around on a script, but I'll pretend like that was a lot of work). In my case the customer had a huge AD and had several hundred groups with changes since their last AD backup so my 5-10 minutes was still a huge time saver for them.

Below is the Powershell script, it prompts for a SID, which it expects in the standard format, and spits out the HEX string, all formatted for use in an LDAP filter. Credit for the script goes to http://poshcode.org/2038 because that's where I found it and I only modified it very slightly to change the output for use with an LDAP filter.

If you don't happen to want to use the Powershell script, there's a simple tool called SID Translator over at codeplex that does the same thing, but it produces output with spaces instead of backslashes, so you'd have to do a little search and replace on the string before you could use it as an LDAP search.

Code: Select all

$sidstring = Read-Host -Prompt 'Please enter SID String'
 
# Create SID .NET object using SID string provided
$sid = New-Object system.Security.Principal.SecurityIdentifier $sidstring
 
# Create a byte array of the proper length
$sidBytes = New-Object byte[] $sid.BinaryLength
 
#Convert to bytes
$sid.GetBinaryForm( $sidBytes, 0 )
 
# Iterate through bytes, converting each to the hexidecimal equivalent
$hexArr = $sidBytes | ForEach-Object { $_.ToString("X2") }
 
# Join the hex array into a single string with \ for use as LDAP filter
$ldapSid = "\" + ($hexArr -join '\')

write-host "HEX SID string is:" $ldapSid

[rreed]

Dang, that's some fancy shootin right there! Well done. And yes, while not quite on the scale of having deleted hundreds of groups or users, we still had to delete a pretty good pile. To that point, I can't see this being a one off or even rare case, audits that require deletion of percieved unused users/groups are commonplace nowadays.

Could we get this added as an expedited straight forward feature request please??

[Kostya]

Could we get this added as an expedited straight forward feature request please??

Just FYI: Backup 9.5 RTM will support LDAP query in form of "(objectSid=S-1-5-21-1643031432-1003693700-4023357673-5613)"

[tsightler]

Nice!