Being serious about Disaster Recovery means taking into account events like 9/11. Being serious about Active Directory means being serious about Backup and Restore. But… All work and no play makes Jack a dull boy. That’s why sometimes you need to have a little fun. For fun times’ sake, let’s look at the LDAP Filter capability of Veeam’s Explorer for Active Directory tool.
About Veeam Explorer for Active Directory
When I first encountered Veeam technologies, their complete system backups made little sense to me. I had been working with Veritas products, where agents need to be installed (and licensed) to get not just the contents of the hard drive, but the necessary files for roles as well. I had grown accustomed to the Agent for Microsoft Active Directory and Agent for Microsoft Exchange Server.
Veeam does away with all of that. All the files you need are part of the one backup file, when you choose to make Application-consistent backups. You simply need a different tool to get the information for specific roles. You want the application- or service-specific restore logic, too, so it’s a win-win situation.
You can access the Explorer for Active Directory by starting it up through the Start Menu, or by right-clicking a (virtual) Domain Controller’s backup, selecting Restore application items… from the menu, and then selecting Microsoft Active Directory objects….
Explorer for Active Directory’s LDAP Filter
When you use Veeam Explorer for Active Directory in restore mode, there is a button on the task bar, labeled Use LDAP Filter:
This button has been my savior on many occasions.
Fun with LDAP Filters
Let me give you some of the examples of how you can use the Use LDAP Filter functionality in Veeam’s Explorer for Active Directory:
User-based filters
When working with users, you can filter the objects that are displayed in the Explorer main window in the following ways:
Only users synchronized to Azure AD
What if you wanted to restore only the enabled accounts that have been synchronized to Azure Active Directory? You can, as Azure AD Connect, with default settings, writes back the mS-DS-ConsistencyGuid attribute to user objects:
(&(objectCategory=person)(objectClass=user)(!(ms-DS-ConsistincyGuid=*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Only user objects that have not been altered since …
Yes, sometimes an organization needs to go back in time a couple of days. How do you filter on only the user objects (both enabled and disabled) that have not been altered in the last 3 days? Here you go for all objects since September 8th:
(&(objectCategory=person)(objectClass=group)(!(whenchanged=>20200908000000.0Z)))
Only the people who have changed their passwords since …
Suffering from faulty password changes and want to filter the view on only the user objects whose passwords have been changed in the last 3 days? A little bit tricky, as you have to convert the time to an integer, but certainly possible:
(&(objectCategory=person)(objectClass=user)(pwdLastSet>=132439932010000000))
An Active Directory migration gone wrong
Suppose an Active Directory has gone wrong and you want to restore only the user objects that have the sIDHistory attribute filled? That’s relatively easy:
(&(objectCategory=person)(objectClass=user)(sIDHistory=*))
Group-based filters
For organizations that rely heavily on groups, there’s some fun to be had with filtering based on groups to filter the objects that are displayed in the Explorer main window, too:
Only recently created groups
Let’s say you only want to see groups that have been created in the past 5 months (since April 11th)… This LDAP filter would do the trick:
(&(objectCategory=person)(objectClass=group)(whencreated=>20200411000000.0Z))
Only groups with specific names
Is your Microsoft Exchange Server migrations not working out as planned? You could filter the view on groups that end with a name "-DistributionList" quite easiliy:
(&(objectCategory=person)(objectClass=group)(CN=*-DistributionList))
Only non-empty groups
Organizations tend to have empty groups to keep their RBAC upright (or for other purposes), but you might need some speed for your restores and filter on groups that actually have members. Use this LDAP filter:
(&(objectCategory=person)(objectClass=group)(member=*))
Members of a specific group
If group memberships of a group have gone awry, you can simply filter on the members of the group in the backup and only show them, whether they are users, contacts, computers, or groups:
(memberOf=cn=Group,ou=Groups,ou=Organization,dc=domain,dc=tld)
Computer-based filters
There’s filtering fun to be had with computers, too. Who would’ve guessed…
Only computers in a specific country
Are all your computer objects in one Organizational Unit (OU) in Active Directory, but you need to filter only on the Dutch hosts? If you’ve got the country code filled in, it’s not such a big deal:
(&(objectCategory=computer)(c=NL))
Only servers that are not Domain Controllers
Remember that organization that needed to pick up a server in Ghana to restore their Active Directory? Here’s an LDAP filter to then show only the servers that are not Domain Controllers in in the Explorer main window:
(&(objectCategory=computer)(operatingSystem=*server*)(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))
Only objects for devices running a specific OS
Under pressure to restore computer objects, after your downlevel Windows-based devices caused a ransomware attack? Use this filter to display only devices with Windows 10:
(&(objectCategory=computer)operatingSystemVersion=10.0*))
Only recently joined devices
When you messed up devices in the past three days (since September 8th) and want to filter so you only see computers that have been joined since then, use this:
(&(objectClass=computer)(whencreated=>20200908000000.0Z))
Concluding
I feel the LDAP filter functionality in Veeam’s Explorer for Active Directory is the most powerful feature I know in backup and restore solutions for Active Directory.
The post Fun with Veeam’s Active Directory Explorer’s LDAP Filter appeared first on The things that are better left unspoken.