Solved

Change User's GUID (objectGUID)?

Posted on 2011-02-28
8
5,703 Views
Last Modified: 2012-08-14
We are being asked to change each user’s GUID to a company standard as part of an upcoming SAP project.

What steps are needed in order to change a user’s GUID?
And are there tools to make this task easier?
0
Comment
Question by:fraunkd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35002275
GUIDs never change.  They are unique and unchangeable.  Additionally, they are mostly invisible.  Why are you being asked to change the GUID of your users?

DrUltima
0
 

Author Comment

by:fraunkd
ID: 35002368
I’ve read it both ways – can be changed, can’t be changed.  I know that it should be similar to a MAC address in that it is unique inside\outside of an organization.

But I have read articles were MS reps have chimed in that it can be changed but it is heavily discouraged – and then lists the steps to enable to the view to see the GUID as well as the change.

So I’m wondering if it can be done in batches using a tool like Hyena or something similar.

Why the change?

Our manager was just informed by our parent company’s SAP team that the GUID’s of our users must be changed to pre-defined GUIDs.  We were then asked to look into how to best accomplish this for each site.  Beyond that, I know nothing.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35002594
To understand your situation, I want to repeat it to you in my own words.

You have a parent company which has mandated you change your users' GUIDs to something predefined.  Your parent company has told you what the GUIDs should look like, but not how to get there (provided requirement but not methodology).

I am going to assume that arguing the change is useless.  If you could convince them of the idiocy of this idea, you would not be posting this Question.  Can it be done?  Yes, technically.  Will it break things if done?  It is a statistical certainty (not 100% likely, but close enough to not matter).  To really work through this, we are going to need to know what process you use which key on the GUID (there aren't many, but they do exist, like ADAM or AD LDS).

How much information are you at liberty to disclose to us here?  Hyena cannot facilitate this change.  It will have to be done completely programatically (VBScript, PowerShell, etc).

DrUltima
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:Mike Kline
ID: 35003004
where did you read that they could be changed (was that on the technet forums)

Generally objectGUID doesn't change over the lifetime of an object in AD.
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 500 total points
ID: 35008231
OK... At my work, we have an onsite MS Platforms specialist (a Microsoft employee we pay MS to be here).  I approached him with the "Can a GUID be changed?"  His immediate answer was "No.  And why would anyone want to?"

I asked him to think and reconsider and see if it was technically possible if you put aside any and all complications it can cause.  The answer was, "Well, yes.  If you have an LDAP editor, it can be changed, but it will break everything."

I asked about the repercussions of such a change.  Basically, it will break everything in AD for that user.  Group membership will break.  OU membership will break.  Exchange access will break.  Any AD aware logins (such as SQL) will break.

He again asked why the change... I explained the notion that your parent company wants to change the GUID to match their structure.  After weeding through the colorful descriptors of how bad an idea this is, I came back with this.  This GUID is partially random.  The first part of the GUID is generated by the domain, so all domain members have similar GUIDs.  What your parent company is wanting you to do is change your users' GUIDs to match their domain rather than yours.  

The PROPER way to get this done is to migrate the users from your domain into theirs.  This will create a new GUID for the users which match their domain's "template".  There is no way to do a mass change as you are wanting without breaking all kinds of things and basically rendering your AD inoperable.

DrUltima
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35008678
Thanks a lot for that Justin/Ultima :)   I'm at the MVP summit and I was going to show the article to some folks here if it existed.   I agree with you 100%

Thanks

Mike
0
 

Author Comment

by:fraunkd
ID: 35009014
Thank you for the information and for touching base with other resources.  There is a chance that something may have been lost in translation and we are in the process of requesting clarification and will post accordingly.

I have a quick question, though, regarding your last comment.  You mentioned that the domain generated the first part of the GUIDs and that they should be similar.  Below are the GUIDs of three domain users and I’m not seeing the commonality.  

Is there another way I should parse this?

5AE1262B-C924-44EA-B514-850908F7B770
F54424CC-A24F-4C5C-9928-771A0F938089
55C04513-70EC-49EA-9F98-5806C54FD9DA

Again, thanks for everyones comments.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35009199
Did some snooping in ADSIEdit and found that GUIDs seem to be completely randomized in my domain (about 40,000 users).  However the SIDs have common "first halves", as the PFE indicated.  That is most likely what he was referencing.  The SIDs are hangovers from older versions of NT and AD.  

It may be (and I cannot confirm) that the two are somehow related in creation, but one thing which breaks is GUID/SID agreement, when the GUID is changed (though I cannot explain technically why).

After looking, I cannot imagine, in any way, a template version of GUIDs.  Are you sure your parent company is not referring to SID and not GUID?

DrUltima
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IT certifications are a concrete representation of continual learning on the part of the candidate.  Continual learning is necessary for the long term success of an IT professional, but are IT certifications the right path for you?
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question