adding sIDHistory to an AD account

G

Guest

I have a number of Active Directory accounts that I need to add the sIDHistory attribute.

I know the sid and want to add it to the account using ADSIedit. Using the GUI I add the sid in HEX and click OK. When I go to close the User properties dialog box ADSIedit presents a error with "Access is denied"

I'm running ADSIedit on a D
I'm using a Domain Admin account (tried 2 different Dom Admin accounts

Why? How are you meant to manually add a SID to the sIDHistory attribute??
 
J

Joe Richards [MVP]

G

Guest

Thank

I find it strange that the gui looks like it allows adds and removes but doesn't work. Oh well

I'm migrating from Exchange 5.5 on NT4 to Exchange 2003 on a seperate Win2003 domain. A user migrated to Win2003 needs access to some resources on NT4. Most accounts had the SIDHistory populated with ADMT2 however some accounts (eg recreated after mistaken AD delete) don't have the sidhistory.

What tools should I use to populate the SidHistory
Is there a script for win2003
Is ClonePrincipal (the win2000 tool) supported for 2003
If I run ADMT2 and migrate the account to AD again (different account name) can I run ADClean to merge the accounts

----- Joe Richards [MVP] wrote: ----

sIDHistory is a touchy thing because it can be a HUGE security hole. In order to
update sid history you have to use a script or program that someone wrote that
calls DsAddSidHistory. There are special rules around the whole operation, se

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/using_dsaddsidhistory.as

als

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/dsaddsidhistory.as


Basically you can't just insert whatever SID you want in


-
Joe Richards Microsoft MVP Windows Server Directory Service
www.joeware.ne



fred wrote
 
J

Joe Richards [MVP]

I won't speak to the GUIs, I don't like them. They are a programmers
interpretation of the underlying api's and info, not necessarily what is real.

You should have a trust for the migration so why not assign the permission to
the new user object from AD?

Otherwise assuming the users have 2K3 mailboxes I would say you want to delete
the user object from AD, remigrate the user, reconnect the mailbox to the new
user object (either via ESM or WMI Script). You may want to go tag an Exchange
group though to be sure as this is more Exchange specific than AD specific.

joe
 
G

Guest

Thanks for reponding Joe
the new user object from AD

We do have a trust but because we are part through an Exchange migration the SIDhistory is required by AD users to access resources on NT4/Exch 5.5. Such as non-replicated public folders, meeting rooms and shared mailboxes that have not been migrated etc. An example of the issue is mapi permission grated to a user prior to migration is actually SID based, and as such without the sIDHistory all those mapi based permissions would need to be recreated.

We have had a number of user objects with problems during the migration. For one reason or another some of the accounts are missing the sIDHistory. We really want to populate the sIDHistory and remigrating is not an "nice" option for some accounts. It would be if we could migrate the account and use something like adclean to merge the two accounts. But when we try this ADClean fails with "Unwilling to Perform". !

Is there no script or tool to add sIDHistory to an account
 
J

Joe Richards [MVP]

sIDHistory is a HUGE security hole. No tool exists that will let you jam an
arbitrary value in, you must pull it from an existing domain with the proper
credentials. Otherwise you could jam in domain admin SIDS for any domain you
wanted and wreak havoc with people.

You can look for sidhist.vbs which will just populate the sidhistory but it
still needs to pull from the source domain.
 
G

Guest

Thanks Jo

Just found sidhist.vbs and it works great. This is the tool I have been looking/asking for.

cheer
Fred
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

changing sIDHistory 1
sidhistory 2
SID history stopped working. 3
sidhistory 1
SIDHistory 1
How to remove sid history 4
Drawing a blank on SIDHistory scenario 1
Sidhistory in Mixed Mode 1

Top