Copy user SID PoSH

Hi

Environment:
Forest 1: Windows 2008 R2
Forest 2: Windows 2008 R2 (with 2008/2012 DC's)

Post a fumbled admt migration of a user, there is a requirement (outside of running admt again) of copying a user's source SID to the target SIDhistory (this attribute only to be cloned).

Other than using sidhist.vbs, is there another way to grab the source sid and copy via poweshell/Quest/admod etc?

Preferably I would like a lightweight footprint on source/target domains and not have to install/register anything on the DC's.

Cheers
Bry
bryan oakley-wigginsSenior Cloud EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
PowerShell is one of AD APIs available. You can try LDAP instead, but then again - why not sidhist.vbs?
George SimosIT Pro Consultant - IT Systems AdministratorCommented:
There is a conversion of SIDHist.vbs to a PowerShell function in TehcNet Script Gallery here: https://gallery.technet.microsoft.com/scriptcenter/9b338347-c012-418b-84f6-efc5a148429b please check the prerequisites stated first before proceeding, from what I saw there is no special powershell libraries to use but you have to register clonepr.dll (see the comments there).
gheistCommented:
complete package with clonepr is "Active Directory Management Support Tools"
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Hi

Thanks for the comments, much appreciated. This question may actualy evolve into a new question.

I have tried sidhist.vbs (have used this method many times before) and also a PoSH copy (using quest tools) - I also tried a hex copy via ADSIEDIT (I can update other attributes just not sIDHistory) and it is always the target Domain Controller(s) [I have targetted multiple DC's on different vlans].

All failed at the target with the following error;

Operation Failed. Error code: 0x5
00000005: SecErr: DSID-031A1256, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

I have setup both source and target conditions to match what is required (regsvr32 clonepr.dll, reg dword, sidfiltering/quarantining is allowed etc) and I have tried running via a domain admin and an enterprise admin account.

I am struggling where to find if any restriction (other than default) has been applied to disabling the ability to change/update sIDHistory.

ANy ideas?

Thx
Bry
gheistCommented:
Check if you have AD object permissions... As domain admin you should be able to regain access.
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Hi Gheist

Thx - I had checked under the account I am using (member of domain admins) and I have Full Control with permissions (including RW ObjectSid). I remember back in old 2003 days, that I had to extend the right to 'Migrate-Sid-History' - Is this still applicable in 2008 R2+?

There was an ADMT of this user (which failed to bring over the sid from the source domain).
I can update other attributes on this object with no problem.

Do you know if I have to explicitly extend the sidhisdtory right?

Thx
Bry
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
and also - Domain Admins owns the user object.

Thx
Bry
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Update:

In the end, re-installed ADMT and ran a merge of the migrated object from source - siDHIstory was updated. Nothing had changed on the environment and if attempted via the sidhist.vbs and/or PoSH I still get insufficient access errors (even though using the exact same credentials).

I guess, one of those mysteries.

Would an even points distribution be ok, as technically the original question was answered?

Cheers
Bry

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
George SimosIT Pro Consultant - IT Systems AdministratorCommented:
Yes it is ok by me.
bryan oakley-wigginsSenior Cloud EngineerAuthor Commented:
Reason for grading my own comment:

ADMT was the process that worked.

Thx
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.