What is modified in the AD Schema to allow the recovery of a deleted user account's password? (SL3855)

The value of the "searchFlag" attribute on the "unicodePwd" Schema object is changed from the default integer value of '0' to '8'. The attribute is a bitmask that specifies whether or not to keep the attribute available for search when the user object is deleted and a tombstone is created.

Additional Information:

During configuration of the Active Administrator Object Level Backup service the following message may appear:

When the 'Yes' button is clicked the Active Administrator Forest Prep Utility (AAForestPrep.exe) is run in the background to make the modification described in the 'CAUSE: ' section of this article.

The Forest Prep Utility can also be invoked manually:

• by clicking the 'Password Recovery...' button on the Object Level Backup service's configuration dialog, or

• through the Active Administrator program group on the Start menu.

The value of the "searchFlag" attribute on the "unicodePwd" Schema object can be viewed and edited using the ADSIEdit tool. To do this:

Open a Microsoft Management Console, then add the ADSIEdit snap-in:

Once loaded, right-click on the ADSI Edit node in the left pane and select 'Connect to...', and select the Schema Naming Context:

Expand the server object, then click on the Schema container to display the Schema objects in the right-side pane. Locate the "unicodePwd" object, then right-click on it and select 'Properties':

On the Attribute Editor tab, locate the 'searchFlags' attribute:

BEFORE                                                                                           

 AFTER

As mentioned above, the value can also be modified using the 'Edit' button: changing the value manually from '0' to '8' (or conversely) through ADSIEdit will be reflected in Forest Prep Utility's "Supports Password Restore" field when it's 'Refresh' button is clicked.