Comprehensive data protection for all workloads
Post Reply
patricknh
Influencer
Posts: 14
Liked: 1 time
Joined: Dec 21, 2020 4:17 pm
Full Name: Patrick holt
Contact:

Restore a deleted GMSA

Post by patricknh »

CAn veeam restore a deleted GMSA account? I can see the OU in the backup but not the accounts which makes me wonder what is missing.
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Restore a deleted GMSA

Post by HannesK »

Hello,
yes, group managed service accounts are not shown in the Veeam Explorer for Active Directory. So there is no "right click & restore".

Just curious: did you find _any_ way to restore a gMSA account?

Best regards,
Hannes
patricknh
Influencer
Posts: 14
Liked: 1 time
Joined: Dec 21, 2020 4:17 pm
Full Name: Patrick holt
Contact:

Re: Restore a deleted GMSA

Post by patricknh »

No I was hoping someone here could tell me if there was a way to do it. Presumably the information is there in the backup of the .dit - I have opened a ticket with support as this is one of the things we require veeam to be able to do.
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Restore a deleted GMSA

Post by HannesK »

okay, looks like I was not clear enough: there is no option in Veeam Explorer for AD to do that.

I also asked support to close case 05346933 as it is no break & fix
patricknh
Influencer
Posts: 14
Liked: 1 time
Joined: Dec 21, 2020 4:17 pm
Full Name: Patrick holt
Contact:

Re: Restore a deleted GMSA

Post by patricknh »

I would prefer support call and work with me.
veremin
Product Manager
Posts: 20736
Liked: 2403 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Restore a deleted GMSA

Post by veremin »

Support team cannot provide you with the functionality that does not exist in the product, so no need to keep the case opened. Thanks!
patricknh
Influencer
Posts: 14
Liked: 1 time
Joined: Dec 21, 2020 4:17 pm
Full Name: Patrick holt
Contact:

Re: Restore a deleted GMSA

Post by patricknh »

Also this inability to restore a GMSA is not listed as a limitation on your list of limitations for the AD recovery product. Is there a reason that a GMSA should not be able to be restored, is there some fundamental difference that keeps veems from backing up the OU but not the accounts within?
Gostev
Chief Product Officer
Posts: 32761
Liked: 7971 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Restore a deleted GMSA

Post by Gostev » 1 person likes this post

Veeam backs up the entire domain controller image, as opposed to performing application item level backup you're describing. I'm not exactly sure why Veeam Explorer for Active Directory does not support restoring such accounts though. @PetrM could you investigate with the dev team and update?
patricknh
Influencer
Posts: 14
Liked: 1 time
Joined: Dec 21, 2020 4:17 pm
Full Name: Patrick holt
Contact:

Re: Restore a deleted GMSA

Post by patricknh »

@Gostev thank you for your response. Sorry I got my wording backwards- it seems veeam can backup and restore the MSA OU where GMSAs live and any OU beneath it- but not the accounts within. Now when we purchased Veeam as an enterprise we were told it could restore all AD accounts (this is what we bought it for) and GMSAs are accounts they just have a different object class or category to my understanding. While veeam does backup the entire image, when your AD recovery tool runs its mounting the AD parts in an offline fashion and if those GMSA's live in the .dit or registry or sysvol, etc.. then in theory at least they are there to be restored, maybe the tool just doesn't know how to filter for them. Or if there is some reason that no tool can recover a deleted GMSA because there is something unique technically to an MSA or GMSA then that is something that would acceptable if communicated or documented.
Gostev
Chief Product Officer
Posts: 32761
Liked: 7971 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Restore a deleted GMSA

Post by Gostev » 1 person likes this post

Yes, we purposely filter out all special objects types just to be on a safe side, as restoring them can lead to unpredictable results. Active Directory does not really have a supported way of restoring most of its special entities, meaning if in best case scenario the restored entity might just not work, but in the worst case such restoration might break the entire Active Directory. But I've asked dev and QC folks to schedule some time to revisit GMSA restoration specifically.
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Restore a deleted GMSA

Post by HannesK »

Hello,
while investigating options... how do you use the gMSAs? Do you assign any permissions to them, for example on Windows file shares or NTFS folder permissions?

Best regards,
Hannes
patricknh
Influencer
Posts: 14
Liked: 1 time
Joined: Dec 21, 2020 4:17 pm
Full Name: Patrick holt
Contact:

Re: Restore a deleted GMSA

Post by patricknh »

Hannes,
IT can very by group requesting. When possible we add the GMSA to a group that has permissions to do what it needs to do, but some case it might be granted logon as batch or logon as service. We wouldn't normally have them associated directly with a fileshare like in you example.

That help?
Gostev
Chief Product Officer
Posts: 32761
Liked: 7971 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Restore a deleted GMSA

Post by Gostev » 1 person likes this post

Yes, it does. Devs confirmed that the GMSA account cannot really be "restored", they can only create a new account with the same name. This will likely trigger re-assigning permissions to the new account in every place where it was used, because typically permission are granted to a SID (which will be different for a new account), as opposed to an account name. With that in mind, does it even help you to "restore" GMSA account?
Gostev
Chief Product Officer
Posts: 32761
Liked: 7971 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Restore a deleted GMSA

Post by Gostev »

Do you have an Active Directory recycle bin enabled?
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Restore a deleted GMSA

Post by HannesK »

when you lost a gMSA... did you try re-creating it with the same name (and computers that are allowed to use it)? I just tried it out with a service and after I rebooted the machine, the service started fine with the new gMSA account
Grime121
Influencer
Posts: 19
Liked: 1 time
Joined: Apr 10, 2020 6:02 pm
Full Name: Evan
Contact:

Re: Restore a deleted GMSA

Post by Grime121 »

Surely you have the AD Recycle Bin enabled…. If so, just restore the account from the Deleted Objects OU. You can do this via the AD Administration Center management console. Any deleted AD object can be restored, as long as you have AD recycle bin enabled. Deleted AD objects are retained in the recycle bin for a very long time. I’m not sure what the exact amount of time is, but it is at least a couple of months.
salih57
Novice
Posts: 9
Liked: 1 time
Joined: Aug 02, 2018 6:22 am
Full Name: salih tasdemir
Contact:

Re: Restore a deleted GMSA

Post by salih57 »

As I remember ,six Mounth that you can restore it.
Grime121
Influencer
Posts: 19
Liked: 1 time
Joined: Apr 10, 2020 6:02 pm
Full Name: Evan
Contact:

Re: Restore a deleted GMSA

Post by Grime121 » 1 person likes this post

Yeah, that sounds about right. Bottom line, you should be able to restore from the AD recycle bin. As long as the AD Forest Functional Level is 2008 R2 or higher (and the Domain Functional Level is, too), you have the ability to enable the AD Recycle Bin. In fact, I think the AD Recycle Bin is enabled by default for new AD Forests/Domains beginning at the 2008 R2 Level. If for some reason you do not have the AD Recycle Bin enabled, you should enable it ASAP. It is a game changer.

If you did not have the AD Recycle Bin enabled when this gMSA was deleted, then the only option you have is to simply recreate it, and add the necessary permissions for it everywhere that they are needed. If you know what the SID was for the original gMSA, you might be able to come up with a PowerShell script that will search the NTFS and/or file share permissions on all of your servers, to identify where that SID was being used. It would probably be easier to just ask the application owner where this account needs read/write permissions though, and add them back to those locations. Surely there aren’t THAT many places this account needs access to….

If AD Recycle Bin is not enabled in all of your domains, enable it ASAP!
Post Reply

Who is online

Users browsing this forum: Amazon [Bot] and 24 guests