This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GerardoGS
Explorer
a month ago

Question regarding cloning Microsoft_AD profile to limit impact of SupportOldSchema parameter

Hello CheckMates community,

 

I’m currently reviewing the implementation steps described in sk33404 – Configuring Native AD Password Remediation on a Check Point R81.20 environment, and I would appreciate some clarification from the community or Check Point experts who may have encountered a similar scenario.

Based on TAC’s recommendations, prior to applying the configuration changes, we plan to perform:

  • A full mds_backup of the MDS
  • A virtual machine–level backup

As part of the procedure, the following parameter must be configured:

 

Microsoft_AD.Common.SupportOldSchema = 1

 

From TAC’s feedback and our understanding, this parameter is applied at the Microsoft_AD profile level, which is consumed by LDAP Account Unit objects. This implies that any modification to SupportOldSchema will impact all LDAP Account Units using the same Microsoft_AD profile within the same domain.

In our case, the change is required only for a specific LDAP account unit., and we want to avoid any unintended effect on the remaining LDAP Account Units that rely on the same Microsoft_AD profile.

We consulted the vendor regarding the possibility of cloning or duplicating the Microsoft_AD profile and associating only the required LDAP Account Unit to the new profile, in order to scope the change and minimize risk. However, we did not receive a conclusive answer.

Questions to the community:

  1. In R81.20, is it supported and safe to clone or create an additional Microsoft_AD profile for this purpose?
  2. If so, what would be the recommended or supported approach to do this without affecting existing LDAP Account Units?
  3. Has anyone validated the operational or security impact of enabling SupportOldSchema in environments where multiple LDAP Account Units share the same Microsoft_AD profile?
  4. Are there any best practices or alternative designs to limit the scope of this parameter change?
  5. What would exactly change when activating/deactivating the parameter "Microsoft_AD.Common.SupportOldSchema"?

 

Any guidance, real-world experience, or official recommendations would be highly appreciated.

Thank you in advance for your support.

Best regards,

Gerardo G.

Security Analyst

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
a month ago

Personally, I've never heard of this being necessary.
However, cloning the profile doesn't seem like an unreasonable approach.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events