Modify Schema Container Settings

By default, when a user or computer account is deleted from Active Directory, its password is discarded as well as a domain membership. When you restore deleted accounts with the Netwrix Auditor Object Restore for Active Directory tool, it rolls back a membership in domain and sets random passwords which then have to be changed manually. If you want to be able to restore AD objects with their passwords preserved, you must modify the Schema container settings so that account passwords are retained when accounts are being deleted.

To modify schema container settings

NOTE: To perform this procedure, you will need the ADSI Edit utility. In Windows Server 2008 and above, this component is installed together with the AD DS role, or it can be downloaded and installed along with Remote Server Administration Tools. Refer to Install ADSI Edit for detailed instructions on how to install the ADSI Edit utility.

  1. Navigate to Start Windows Administrative Tools (Windows Server 2016 and higher) or Administrative Tools (Windows 2012) ADSI Edit.

  2. Right-click the ADSI Edit node and select Connect To. In the Connection Settings dialog, enable Select a well-known Naming Context and select Schema from the drop-down list.
  3. Expand the Schema your_Root_Domain_name node. Right-click the CN=Unicode-Pwd attribute and select Properties.

  4. Double-click the searchFlags attribute and set its value to "8".

Now you will be able to restore deleted accounts with their passwords preserved.