fraunkd
asked on
Change User's GUID (objectGUID)?
We are being asked to change each user’s GUID to a company standard as part of an upcoming SAP project.
What steps are needed in order to change a user’s GUID?
And are there tools to make this task easier?
What steps are needed in order to change a user’s GUID?
And are there tools to make this task easier?
ASKER
I’ve read it both ways – can be changed, can’t be changed. I know that it should be similar to a MAC address in that it is unique inside\outside of an organization.
But I have read articles were MS reps have chimed in that it can be changed but it is heavily discouraged – and then lists the steps to enable to the view to see the GUID as well as the change.
So I’m wondering if it can be done in batches using a tool like Hyena or something similar.
Why the change?
Our manager was just informed by our parent company’s SAP team that the GUID’s of our users must be changed to pre-defined GUIDs. We were then asked to look into how to best accomplish this for each site. Beyond that, I know nothing.
But I have read articles were MS reps have chimed in that it can be changed but it is heavily discouraged – and then lists the steps to enable to the view to see the GUID as well as the change.
So I’m wondering if it can be done in batches using a tool like Hyena or something similar.
Why the change?
Our manager was just informed by our parent company’s SAP team that the GUID’s of our users must be changed to pre-defined GUIDs. We were then asked to look into how to best accomplish this for each site. Beyond that, I know nothing.
To understand your situation, I want to repeat it to you in my own words.
You have a parent company which has mandated you change your users' GUIDs to something predefined. Your parent company has told you what the GUIDs should look like, but not how to get there (provided requirement but not methodology).
I am going to assume that arguing the change is useless. If you could convince them of the idiocy of this idea, you would not be posting this Question. Can it be done? Yes, technically. Will it break things if done? It is a statistical certainty (not 100% likely, but close enough to not matter). To really work through this, we are going to need to know what process you use which key on the GUID (there aren't many, but they do exist, like ADAM or AD LDS).
How much information are you at liberty to disclose to us here? Hyena cannot facilitate this change. It will have to be done completely programatically (VBScript, PowerShell, etc).
DrUltima
You have a parent company which has mandated you change your users' GUIDs to something predefined. Your parent company has told you what the GUIDs should look like, but not how to get there (provided requirement but not methodology).
I am going to assume that arguing the change is useless. If you could convince them of the idiocy of this idea, you would not be posting this Question. Can it be done? Yes, technically. Will it break things if done? It is a statistical certainty (not 100% likely, but close enough to not matter). To really work through this, we are going to need to know what process you use which key on the GUID (there aren't many, but they do exist, like ADAM or AD LDS).
How much information are you at liberty to disclose to us here? Hyena cannot facilitate this change. It will have to be done completely programatically (VBScript, PowerShell, etc).
DrUltima
where did you read that they could be changed (was that on the technet forums)
Generally objectGUID doesn't change over the lifetime of an object in AD.
Generally objectGUID doesn't change over the lifetime of an object in AD.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks a lot for that Justin/Ultima :) I'm at the MVP summit and I was going to show the article to some folks here if it existed. I agree with you 100%
Thanks
Mike
Thanks
Mike
ASKER
Thank you for the information and for touching base with other resources. There is a chance that something may have been lost in translation and we are in the process of requesting clarification and will post accordingly.
I have a quick question, though, regarding your last comment. You mentioned that the domain generated the first part of the GUIDs and that they should be similar. Below are the GUIDs of three domain users and I’m not seeing the commonality.
Is there another way I should parse this?
5AE1262B-C924-44EA-B514-85 0908F7B770
F54424CC-A24F-4C5C-9928-77 1A0F938089
55C04513-70EC-49EA-9F98-58 06C54FD9DA
Again, thanks for everyones comments.
I have a quick question, though, regarding your last comment. You mentioned that the domain generated the first part of the GUIDs and that they should be similar. Below are the GUIDs of three domain users and I’m not seeing the commonality.
Is there another way I should parse this?
5AE1262B-C924-44EA-B514-85
F54424CC-A24F-4C5C-9928-77
55C04513-70EC-49EA-9F98-58
Again, thanks for everyones comments.
Did some snooping in ADSIEdit and found that GUIDs seem to be completely randomized in my domain (about 40,000 users). However the SIDs have common "first halves", as the PFE indicated. That is most likely what he was referencing. The SIDs are hangovers from older versions of NT and AD.
It may be (and I cannot confirm) that the two are somehow related in creation, but one thing which breaks is GUID/SID agreement, when the GUID is changed (though I cannot explain technically why).
After looking, I cannot imagine, in any way, a template version of GUIDs. Are you sure your parent company is not referring to SID and not GUID?
DrUltima
It may be (and I cannot confirm) that the two are somehow related in creation, but one thing which breaks is GUID/SID agreement, when the GUID is changed (though I cannot explain technically why).
After looking, I cannot imagine, in any way, a template version of GUIDs. Are you sure your parent company is not referring to SID and not GUID?
DrUltima
DrUltima