Solved

Change User's GUID (objectGUID)?

Posted on 2011-02-28
8
4,799 Views
Last Modified: 2012-08-14
We are being asked to change each user’s GUID to a company standard as part of an upcoming SAP project.

What steps are needed in order to change a user’s GUID?
And are there tools to make this task easier?
0
Comment
Question by:fraunkd
  • 4
  • 2
  • 2
8 Comments
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
GUIDs never change.  They are unique and unchangeable.  Additionally, they are mostly invisible.  Why are you being asked to change the GUID of your users?

DrUltima
0
 

Author Comment

by:fraunkd
Comment Utility
I’ve read it both ways – can be changed, can’t be changed.  I know that it should be similar to a MAC address in that it is unique inside\outside of an organization.

But I have read articles were MS reps have chimed in that it can be changed but it is heavily discouraged – and then lists the steps to enable to the view to see the GUID as well as the change.

So I’m wondering if it can be done in batches using a tool like Hyena or something similar.

Why the change?

Our manager was just informed by our parent company’s SAP team that the GUID’s of our users must be changed to pre-defined GUIDs.  We were then asked to look into how to best accomplish this for each site.  Beyond that, I know nothing.
0
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
To understand your situation, I want to repeat it to you in my own words.

You have a parent company which has mandated you change your users' GUIDs to something predefined.  Your parent company has told you what the GUIDs should look like, but not how to get there (provided requirement but not methodology).

I am going to assume that arguing the change is useless.  If you could convince them of the idiocy of this idea, you would not be posting this Question.  Can it be done?  Yes, technically.  Will it break things if done?  It is a statistical certainty (not 100% likely, but close enough to not matter).  To really work through this, we are going to need to know what process you use which key on the GUID (there aren't many, but they do exist, like ADAM or AD LDS).

How much information are you at liberty to disclose to us here?  Hyena cannot facilitate this change.  It will have to be done completely programatically (VBScript, PowerShell, etc).

DrUltima
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
where did you read that they could be changed (was that on the technet forums)

Generally objectGUID doesn't change over the lifetime of an object in AD.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 31

Accepted Solution

by:
DrUltima earned 500 total points
Comment Utility
OK... At my work, we have an onsite MS Platforms specialist (a Microsoft employee we pay MS to be here).  I approached him with the "Can a GUID be changed?"  His immediate answer was "No.  And why would anyone want to?"

I asked him to think and reconsider and see if it was technically possible if you put aside any and all complications it can cause.  The answer was, "Well, yes.  If you have an LDAP editor, it can be changed, but it will break everything."

I asked about the repercussions of such a change.  Basically, it will break everything in AD for that user.  Group membership will break.  OU membership will break.  Exchange access will break.  Any AD aware logins (such as SQL) will break.

He again asked why the change... I explained the notion that your parent company wants to change the GUID to match their structure.  After weeding through the colorful descriptors of how bad an idea this is, I came back with this.  This GUID is partially random.  The first part of the GUID is generated by the domain, so all domain members have similar GUIDs.  What your parent company is wanting you to do is change your users' GUIDs to match their domain rather than yours.  

The PROPER way to get this done is to migrate the users from your domain into theirs.  This will create a new GUID for the users which match their domain's "template".  There is no way to do a mass change as you are wanting without breaking all kinds of things and basically rendering your AD inoperable.

DrUltima
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Thanks a lot for that Justin/Ultima :)   I'm at the MVP summit and I was going to show the article to some folks here if it existed.   I agree with you 100%

Thanks

Mike
0
 

Author Comment

by:fraunkd
Comment Utility
Thank you for the information and for touching base with other resources.  There is a chance that something may have been lost in translation and we are in the process of requesting clarification and will post accordingly.

I have a quick question, though, regarding your last comment.  You mentioned that the domain generated the first part of the GUIDs and that they should be similar.  Below are the GUIDs of three domain users and I’m not seeing the commonality.  

Is there another way I should parse this?

5AE1262B-C924-44EA-B514-850908F7B770
F54424CC-A24F-4C5C-9928-771A0F938089
55C04513-70EC-49EA-9F98-5806C54FD9DA

Again, thanks for everyones comments.
0
 
LVL 31

Expert Comment

by:DrUltima
Comment Utility
Did some snooping in ADSIEdit and found that GUIDs seem to be completely randomized in my domain (about 40,000 users).  However the SIDs have common "first halves", as the PFE indicated.  That is most likely what he was referencing.  The SIDs are hangovers from older versions of NT and AD.  

It may be (and I cannot confirm) that the two are somehow related in creation, but one thing which breaks is GUID/SID agreement, when the GUID is changed (though I cannot explain technically why).

After looking, I cannot imagine, in any way, a template version of GUIDs.  Are you sure your parent company is not referring to SID and not GUID?

DrUltima
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now