Solved

Change User's GUID (objectGUID)?

Posted on 2011-02-28
8
5,539 Views
Last Modified: 2012-08-14
We are being asked to change each user’s GUID to a company standard as part of an upcoming SAP project.

What steps are needed in order to change a user’s GUID?
And are there tools to make this task easier?
0
Comment
Question by:fraunkd
  • 4
  • 2
  • 2
8 Comments
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35002275
GUIDs never change.  They are unique and unchangeable.  Additionally, they are mostly invisible.  Why are you being asked to change the GUID of your users?

DrUltima
0
 

Author Comment

by:fraunkd
ID: 35002368
I’ve read it both ways – can be changed, can’t be changed.  I know that it should be similar to a MAC address in that it is unique inside\outside of an organization.

But I have read articles were MS reps have chimed in that it can be changed but it is heavily discouraged – and then lists the steps to enable to the view to see the GUID as well as the change.

So I’m wondering if it can be done in batches using a tool like Hyena or something similar.

Why the change?

Our manager was just informed by our parent company’s SAP team that the GUID’s of our users must be changed to pre-defined GUIDs.  We were then asked to look into how to best accomplish this for each site.  Beyond that, I know nothing.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35002594
To understand your situation, I want to repeat it to you in my own words.

You have a parent company which has mandated you change your users' GUIDs to something predefined.  Your parent company has told you what the GUIDs should look like, but not how to get there (provided requirement but not methodology).

I am going to assume that arguing the change is useless.  If you could convince them of the idiocy of this idea, you would not be posting this Question.  Can it be done?  Yes, technically.  Will it break things if done?  It is a statistical certainty (not 100% likely, but close enough to not matter).  To really work through this, we are going to need to know what process you use which key on the GUID (there aren't many, but they do exist, like ADAM or AD LDS).

How much information are you at liberty to disclose to us here?  Hyena cannot facilitate this change.  It will have to be done completely programatically (VBScript, PowerShell, etc).

DrUltima
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:Mike Kline
ID: 35003004
where did you read that they could be changed (was that on the technet forums)

Generally objectGUID doesn't change over the lifetime of an object in AD.
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 500 total points
ID: 35008231
OK... At my work, we have an onsite MS Platforms specialist (a Microsoft employee we pay MS to be here).  I approached him with the "Can a GUID be changed?"  His immediate answer was "No.  And why would anyone want to?"

I asked him to think and reconsider and see if it was technically possible if you put aside any and all complications it can cause.  The answer was, "Well, yes.  If you have an LDAP editor, it can be changed, but it will break everything."

I asked about the repercussions of such a change.  Basically, it will break everything in AD for that user.  Group membership will break.  OU membership will break.  Exchange access will break.  Any AD aware logins (such as SQL) will break.

He again asked why the change... I explained the notion that your parent company wants to change the GUID to match their structure.  After weeding through the colorful descriptors of how bad an idea this is, I came back with this.  This GUID is partially random.  The first part of the GUID is generated by the domain, so all domain members have similar GUIDs.  What your parent company is wanting you to do is change your users' GUIDs to match their domain rather than yours.  

The PROPER way to get this done is to migrate the users from your domain into theirs.  This will create a new GUID for the users which match their domain's "template".  There is no way to do a mass change as you are wanting without breaking all kinds of things and basically rendering your AD inoperable.

DrUltima
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35008678
Thanks a lot for that Justin/Ultima :)   I'm at the MVP summit and I was going to show the article to some folks here if it existed.   I agree with you 100%

Thanks

Mike
0
 

Author Comment

by:fraunkd
ID: 35009014
Thank you for the information and for touching base with other resources.  There is a chance that something may have been lost in translation and we are in the process of requesting clarification and will post accordingly.

I have a quick question, though, regarding your last comment.  You mentioned that the domain generated the first part of the GUIDs and that they should be similar.  Below are the GUIDs of three domain users and I’m not seeing the commonality.  

Is there another way I should parse this?

5AE1262B-C924-44EA-B514-850908F7B770
F54424CC-A24F-4C5C-9928-771A0F938089
55C04513-70EC-49EA-9F98-5806C54FD9DA

Again, thanks for everyones comments.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35009199
Did some snooping in ADSIEdit and found that GUIDs seem to be completely randomized in my domain (about 40,000 users).  However the SIDs have common "first halves", as the PFE indicated.  That is most likely what he was referencing.  The SIDs are hangovers from older versions of NT and AD.  

It may be (and I cannot confirm) that the two are somehow related in creation, but one thing which breaks is GUID/SID agreement, when the GUID is changed (though I cannot explain technically why).

After looking, I cannot imagine, in any way, a template version of GUIDs.  Are you sure your parent company is not referring to SID and not GUID?

DrUltima
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why pager replacement is still an issue OnPage has what some might call a “hate/hate” relationship with pagers. Not much room for love. As we see it, pagers are an antiquated bit of technology. Pagers are dinosaurs which, like most dinosaurs, sho…
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question