inserting sids in Active directory

J

Jeff Senter

I was wondering is there was a way programaticly readd a deleated
deleated user to AD and also his sid if all the information was stores
somewhere else? So if I extracted all of the user and group info every
night to a ldap server the scrubbed the AD metadata i can programatily
reinsert everything but the sids. If there a way to do this?
 
E

Eric Fleischman [MSFT]

When you create a user you can't specify a SID I'm afraid.

The ways to "get a user" with a given SID would be:
1) Restore the user if it has been deleted, either through tombstone
reanimation (new feature in 2k03) or by performing a system state restore
and marking the object(s) in question as authoritative such that they
replicate out and override the deletion
2) You could create a new user which will have a new SID and make a call to
DsAddSidHistory (documented on MSDN) and specify the old SID as an entry for
sIDHistory on the user. That will let the new user have the old SID as one
of the SIDs in their token, but it still wouldn't be their primary SID. But
this would let them access resources ACL'd to the odl SID.

If you don't mind me asking, what's your goal here? Perhaps I could provide
better suggestions if I had a beter big picture view of the goals in the
question.

~Eric
 
J

Jeff Senter

A university I do some consulting to asked me the question. What I
think they want to do is have their ldap server be thier authorative
server. They have written a script that loads all of the user data from
the AD schema (metadata) includeing the sid to the ldap server every
night. What I think they whould like to be able to do is to deleate the
ad metadata and reinseart it with out have to do a system stat backup.
They have figured out how to do every thing but reinsert the sid. That
leaves them with the problem that the reinserted user can not acccesses
any of the data because the sid is incorrect. I just was wondering if
there was a solution?

Jeff
 
E

Eric Fleischman [MSFT]

The preferred method here is to actually restore the directory. IE don't
recreate, restore the objects you would like to bring back.

~Eric
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

partial and full SIDs in gpo's? 4
SIDS in an AD 2003 Domain 4
SIDs instead of the user friendly names 5
Why are SIDS showing up in File Permissions tab? 4
connecting problem in vb.net with ldap to active directory 4
Windows Server What can Active Directory Do? 6
Users/Groups - Sids/Guids. 1
Multiple User Accounts 1

Top