• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 61
  • Last Modified:

Powershell: sidhistory

Hello experts,

Is there a way to save the sidHistory attribute values prior to removing it for a user/group and restore these if there is an issue with a script.

Looking forward to you assistance.

Thanks.
0
Parity123
Asked:
Parity123
  • 2
1 Solution
 
oBdACommented:
No. You can save the old values, but it won't do you any good, because the sidHistory attribute is controlled by the system and can only be set during a migration. You are obviously allowed to remove it once the migration is complete, but you can not write arbitrary values to it. You'd have to migrate the users again.

SID-History attribute
https://msdn.microsoft.com/en-us/library/ms679833(v=vs.85).aspx
* Update Privilege: This value is set by the system.
* Update Frequency: Each time the object is moved to a new domain.
0
 
PberSolutions ArchitectCommented:
It looks like you may be able to do this:  https://alwinperotti.wordpress.com/2013/03/29/update-the-sidhistory-attribute-for-existing-accounts-with-powershell/  Provided the trust is still there.  Never Tried it.

I think you are looking for a backout plan.   As oBdA mentioned, you can save it so you can cross reference the old SID incase there was some old SIDs that didn't get migrated.

Probably best idea would be to remove the trust for a period of time and see what breaks.  If issues arise, you can re-establish the trust quickly to get going again.  Or fix the security using the new SIDs.  If you can run with the trust removed for an extended period of time, you can be confident with removing the sIDHistory.
0
 
PberSolutions ArchitectCommented:
I think this deserves a split.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now