Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7430
  • Last Modified:

Change User's GUID (objectGUID)?

We are being asked to change each user’s GUID to a company standard as part of an upcoming SAP project.

What steps are needed in order to change a user’s GUID?
And are there tools to make this task easier?
0
fraunkd
Asked:
fraunkd
  • 4
  • 2
  • 2
1 Solution
 
Justin OwensITIL Problem ManagerCommented:
GUIDs never change.  They are unique and unchangeable.  Additionally, they are mostly invisible.  Why are you being asked to change the GUID of your users?

DrUltima
0
 
fraunkdAuthor Commented:
I’ve read it both ways – can be changed, can’t be changed.  I know that it should be similar to a MAC address in that it is unique inside\outside of an organization.

But I have read articles were MS reps have chimed in that it can be changed but it is heavily discouraged – and then lists the steps to enable to the view to see the GUID as well as the change.

So I’m wondering if it can be done in batches using a tool like Hyena or something similar.

Why the change?

Our manager was just informed by our parent company’s SAP team that the GUID’s of our users must be changed to pre-defined GUIDs.  We were then asked to look into how to best accomplish this for each site.  Beyond that, I know nothing.
0
 
Justin OwensITIL Problem ManagerCommented:
To understand your situation, I want to repeat it to you in my own words.

You have a parent company which has mandated you change your users' GUIDs to something predefined.  Your parent company has told you what the GUIDs should look like, but not how to get there (provided requirement but not methodology).

I am going to assume that arguing the change is useless.  If you could convince them of the idiocy of this idea, you would not be posting this Question.  Can it be done?  Yes, technically.  Will it break things if done?  It is a statistical certainty (not 100% likely, but close enough to not matter).  To really work through this, we are going to need to know what process you use which key on the GUID (there aren't many, but they do exist, like ADAM or AD LDS).

How much information are you at liberty to disclose to us here?  Hyena cannot facilitate this change.  It will have to be done completely programatically (VBScript, PowerShell, etc).

DrUltima
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Mike KlineCommented:
where did you read that they could be changed (was that on the technet forums)

Generally objectGUID doesn't change over the lifetime of an object in AD.
0
 
Justin OwensITIL Problem ManagerCommented:
OK... At my work, we have an onsite MS Platforms specialist (a Microsoft employee we pay MS to be here).  I approached him with the "Can a GUID be changed?"  His immediate answer was "No.  And why would anyone want to?"

I asked him to think and reconsider and see if it was technically possible if you put aside any and all complications it can cause.  The answer was, "Well, yes.  If you have an LDAP editor, it can be changed, but it will break everything."

I asked about the repercussions of such a change.  Basically, it will break everything in AD for that user.  Group membership will break.  OU membership will break.  Exchange access will break.  Any AD aware logins (such as SQL) will break.

He again asked why the change... I explained the notion that your parent company wants to change the GUID to match their structure.  After weeding through the colorful descriptors of how bad an idea this is, I came back with this.  This GUID is partially random.  The first part of the GUID is generated by the domain, so all domain members have similar GUIDs.  What your parent company is wanting you to do is change your users' GUIDs to match their domain rather than yours.  

The PROPER way to get this done is to migrate the users from your domain into theirs.  This will create a new GUID for the users which match their domain's "template".  There is no way to do a mass change as you are wanting without breaking all kinds of things and basically rendering your AD inoperable.

DrUltima
0
 
Mike KlineCommented:
Thanks a lot for that Justin/Ultima :)   I'm at the MVP summit and I was going to show the article to some folks here if it existed.   I agree with you 100%

Thanks

Mike
0
 
fraunkdAuthor Commented:
Thank you for the information and for touching base with other resources.  There is a chance that something may have been lost in translation and we are in the process of requesting clarification and will post accordingly.

I have a quick question, though, regarding your last comment.  You mentioned that the domain generated the first part of the GUIDs and that they should be similar.  Below are the GUIDs of three domain users and I’m not seeing the commonality.  

Is there another way I should parse this?

5AE1262B-C924-44EA-B514-850908F7B770
F54424CC-A24F-4C5C-9928-771A0F938089
55C04513-70EC-49EA-9F98-5806C54FD9DA

Again, thanks for everyones comments.
0
 
Justin OwensITIL Problem ManagerCommented:
Did some snooping in ADSIEdit and found that GUIDs seem to be completely randomized in my domain (about 40,000 users).  However the SIDs have common "first halves", as the PFE indicated.  That is most likely what he was referencing.  The SIDs are hangovers from older versions of NT and AD.  

It may be (and I cannot confirm) that the two are somehow related in creation, but one thing which breaks is GUID/SID agreement, when the GUID is changed (though I cannot explain technically why).

After looking, I cannot imagine, in any way, a template version of GUIDs.  Are you sure your parent company is not referring to SID and not GUID?

DrUltima
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now