- 
				patricknh
- Influencer
- Posts: 14
- Liked: 1 time
- Joined: Dec 21, 2020 4:17 pm
- Full Name: Patrick holt
- Contact:
Restore a deleted GMSA
CAn veeam restore a deleted GMSA account?  I can see the OU in the backup but not the accounts which makes me wonder what is missing.
			
			
									
						
										
						- 
				HannesK
- Product Manager
- Posts: 15598
- Liked: 3445 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Restore a deleted GMSA
Hello,
yes, group managed service accounts are not shown in the Veeam Explorer for Active Directory. So there is no "right click & restore".
Just curious: did you find _any_ way to restore a gMSA account?
Best regards,
Hannes
			
			
									
						
										
						yes, group managed service accounts are not shown in the Veeam Explorer for Active Directory. So there is no "right click & restore".
Just curious: did you find _any_ way to restore a gMSA account?
Best regards,
Hannes
- 
				patricknh
- Influencer
- Posts: 14
- Liked: 1 time
- Joined: Dec 21, 2020 4:17 pm
- Full Name: Patrick holt
- Contact:
Re: Restore a deleted GMSA
No I was hoping someone here could tell me if there was a way to do it.  Presumably the information is there in the backup of the .dit -  I have opened a ticket with support as this is one of the things we require veeam to be able to do.
			
			
									
						
										
						- 
				HannesK
- Product Manager
- Posts: 15598
- Liked: 3445 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Restore a deleted GMSA
okay, looks like I was not clear enough: there is no option in Veeam Explorer for AD to do that.
I also asked support to close case 05346933 as it is no break & fix
			
			
									
						
										
						I also asked support to close case 05346933 as it is no break & fix
- 
				patricknh
- Influencer
- Posts: 14
- Liked: 1 time
- Joined: Dec 21, 2020 4:17 pm
- Full Name: Patrick holt
- Contact:
Re: Restore a deleted GMSA
I would prefer support call and work with me.
			
			
									
						
										
						- 
				veremin
- Product Manager
- Posts: 20736
- Liked: 2403 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Restore a deleted GMSA
Support team cannot provide you with the functionality that does not exist in the product, so no need to keep the case opened. Thanks!
			
			
									
						
										
						- 
				patricknh
- Influencer
- Posts: 14
- Liked: 1 time
- Joined: Dec 21, 2020 4:17 pm
- Full Name: Patrick holt
- Contact:
Re: Restore a deleted GMSA
Also this inability to restore a GMSA is not listed as a limitation on your list of limitations for the AD recovery product.  Is there a reason that a GMSA should not be able to be restored, is there some fundamental difference that keeps veems from backing up the OU but not the accounts within?
			
			
									
						
										
						- 
				Gostev
- Chief Product Officer
- Posts: 32761
- Liked: 7971 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Restore a deleted GMSA
Veeam backs up the entire domain controller image, as opposed to performing application item level backup you're describing. I'm not exactly sure why Veeam Explorer for Active Directory does not support restoring such accounts though. @PetrM could you investigate with the dev team and update?
			
			
									
						
										
						- 
				patricknh
- Influencer
- Posts: 14
- Liked: 1 time
- Joined: Dec 21, 2020 4:17 pm
- Full Name: Patrick holt
- Contact:
Re: Restore a deleted GMSA
@Gostev thank you for your response. Sorry I got my wording backwards- it seems veeam can backup and restore the MSA OU where GMSAs live and any OU beneath it- but not the accounts within.  Now when we purchased Veeam as an enterprise we were told it could restore all AD accounts (this is what we bought it for) and GMSAs are accounts they just have a different object class or category to my understanding.  While veeam does backup the entire image, when your AD recovery tool runs its mounting the AD parts in an offline fashion and if those GMSA's live in the .dit or registry or sysvol, etc.. then in theory at least they are there to be restored, maybe the tool just doesn't know how to filter for them.  Or if there is some reason that no tool can recover a deleted GMSA because there is something unique technically to an MSA or GMSA then that is something that would acceptable if communicated or documented.
			
			
									
						
										
						- 
				Gostev
- Chief Product Officer
- Posts: 32761
- Liked: 7971 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Restore a deleted GMSA
Yes, we purposely filter out all special objects types just to be on a safe side, as restoring them can lead to unpredictable results. Active Directory does not really have a supported way of restoring most of its special entities, meaning if in best case scenario the restored entity might just not work, but in the worst case such restoration might break the entire Active Directory. But I've asked dev and QC folks to schedule some time to revisit GMSA restoration specifically.
			
			
									
						
										
						- 
				HannesK
- Product Manager
- Posts: 15598
- Liked: 3445 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Restore a deleted GMSA
Hello,
while investigating options... how do you use the gMSAs? Do you assign any permissions to them, for example on Windows file shares or NTFS folder permissions?
Best regards,
Hannes
			
			
									
						
										
						while investigating options... how do you use the gMSAs? Do you assign any permissions to them, for example on Windows file shares or NTFS folder permissions?
Best regards,
Hannes
- 
				patricknh
- Influencer
- Posts: 14
- Liked: 1 time
- Joined: Dec 21, 2020 4:17 pm
- Full Name: Patrick holt
- Contact:
Re: Restore a deleted GMSA
Hannes,
IT can very by group requesting. When possible we add the GMSA to a group that has permissions to do what it needs to do, but some case it might be granted logon as batch or logon as service. We wouldn't normally have them associated directly with a fileshare like in you example.
That help?
			
			
									
						
										
						IT can very by group requesting. When possible we add the GMSA to a group that has permissions to do what it needs to do, but some case it might be granted logon as batch or logon as service. We wouldn't normally have them associated directly with a fileshare like in you example.
That help?
- 
				Gostev
- Chief Product Officer
- Posts: 32761
- Liked: 7971 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Restore a deleted GMSA
Yes, it does. Devs confirmed that the GMSA account cannot really be "restored", they can only create a new account with the same name. This will likely trigger re-assigning permissions to the new account in every place where it was used, because typically permission are granted to a SID (which will be different for a new account), as opposed to an account name. With that in mind, does it even help you to "restore" GMSA account?
			
			
									
						
										
						- 
				Gostev
- Chief Product Officer
- Posts: 32761
- Liked: 7971 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Restore a deleted GMSA
Do you have an Active Directory recycle bin enabled?
			
			
									
						
										
						- 
				HannesK
- Product Manager
- Posts: 15598
- Liked: 3445 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Restore a deleted GMSA
when you lost a gMSA... did you try re-creating it with the same name (and computers that are allowed to use it)? I just tried it out with a service and after I rebooted the machine, the service started fine with the new gMSA account
			
			
									
						
										
						- 
				Grime121
- Influencer
- Posts: 19
- Liked: 1 time
- Joined: Apr 10, 2020 6:02 pm
- Full Name: Evan
- Contact:
Re: Restore a deleted GMSA
Surely you have the AD Recycle Bin enabled…. If so, just restore the account from the Deleted Objects OU. You can do this via the AD Administration Center management console. Any deleted AD object can be restored, as long as you have AD recycle bin enabled. Deleted AD objects are retained in the recycle bin for a very long time. I’m not sure what the exact amount of time is, but it is at least a couple of months.
			
			
									
						
										
						- 
				salih57
- Novice
- Posts: 9
- Liked: 1 time
- Joined: Aug 02, 2018 6:22 am
- Full Name: salih tasdemir
- Contact:
Re: Restore a deleted GMSA
As I remember ,six Mounth that you can restore it.
			
			
									
						
										
						- 
				Grime121
- Influencer
- Posts: 19
- Liked: 1 time
- Joined: Apr 10, 2020 6:02 pm
- Full Name: Evan
- Contact:
Re: Restore a deleted GMSA
Yeah, that sounds about right. Bottom line, you should be able to restore from the AD recycle bin. As long as the AD Forest Functional Level is 2008 R2 or higher (and the Domain Functional Level is, too), you have the ability to enable the AD Recycle Bin. In fact, I think the AD Recycle Bin is enabled by default for new AD Forests/Domains beginning at the 2008 R2 Level. If for some reason you do not have the AD Recycle Bin enabled, you should enable it ASAP. It is a game changer.
If you did not have the AD Recycle Bin enabled when this gMSA was deleted, then the only option you have is to simply recreate it, and add the necessary permissions for it everywhere that they are needed. If you know what the SID was for the original gMSA, you might be able to come up with a PowerShell script that will search the NTFS and/or file share permissions on all of your servers, to identify where that SID was being used. It would probably be easier to just ask the application owner where this account needs read/write permissions though, and add them back to those locations. Surely there aren’t THAT many places this account needs access to….
If AD Recycle Bin is not enabled in all of your domains, enable it ASAP!
			
			
									
						
										
						If you did not have the AD Recycle Bin enabled when this gMSA was deleted, then the only option you have is to simply recreate it, and add the necessary permissions for it everywhere that they are needed. If you know what the SID was for the original gMSA, you might be able to come up with a PowerShell script that will search the NTFS and/or file share permissions on all of your servers, to identify where that SID was being used. It would probably be easier to just ask the application owner where this account needs read/write permissions though, and add them back to those locations. Surely there aren’t THAT many places this account needs access to….
If AD Recycle Bin is not enabled in all of your domains, enable it ASAP!
Who is online
Users browsing this forum: Amazon [Bot] and 24 guests