how to manually add SID HISTORY to an AD account?

[Philip Nunn]

Another question.

Is it possible to add in a 'SID History' to an already establish AD account?
Can you use ldp.exe or adsi edit to do this, and if yes, how is it done?
Thanks again everyone!

Philip Nunn

 

[Dean Wells [MVP]]

Another question.

Is it possible to add in a 'SID History' to an already establish AD
account? Can you use ldp.exe or adsi edit to do this, and if yes, how
is it done? Thanks again everyone!

Philip Nunn

Absolutely not, the attribute is protected and as such cannot be written
to (with the exception of purging its content) unless a rather large
list of requirements have been met. The sIDHistory attribute must be
protected in this way as it provides a means of altering your effective
identity within a forest (and potentially between forests or foreign
domains). The supported means of writing to this attribute is governed
by the DsAddSidHistory API, further information regarding the afore
mentioned constraints and the API can be found at numerous locations
including -

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/using_dsaddsidhistory.asp

Out of interest (and I seem to be asking this a lot lately), why do you
want to modify it manually?

Dean

 

[Philip Nunn]

Thanks for the info...and to answer your question. I am in the process of
migrating our domain from NT 4 to a 2k domain structure and have been using
ADMT 2.0 to transfer the accounts and add in the sIDHistory attribute to the
users new AD accounts. However...I did not migrate my account but instead
created one manually so I have no sidhistory on my AD account. I have set a
ton of permissions around the domains for myself and do not want to delete
my AD account and by chance lock myself out of something. The only way i
know how to get that attribute is using the admt but I dont want to take the
chance of deleting my ad account, so thats where the question came from.

Philip Nunn

Another question.

Is it possible to add in a 'SID History' to an already establish AD
account? Can you use ldp.exe or adsi edit to do this, and if yes, how
is it done? Thanks again everyone!

Philip Nunn

Absolutely not, the attribute is protected and as such cannot be written
to (with the exception of purging its content) unless a rather large
list of requirements have been met. The sIDHistory attribute must be
protected in this way as it provides a means of altering your effective
identity within a forest (and potentially between forests or foreign
domains). The supported means of writing to this attribute is governed
by the DsAddSidHistory API, further information regarding the afore
mentioned constraints and the API can be found at numerous locations
including -

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/using_dsaddsidhistory.asp

Out of interest (and I seem to be asking this a lot lately), why do you
want to modify it manually?

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Dean Wells [MVP]]

Thanks for the info...and to answer your question. I am in the
process of migrating our domain from NT 4 to a 2k domain structure
and have been using ADMT 2.0 to transfer the accounts and add in the
sIDHistory attribute to the users new AD accounts. However...I did
not migrate my account but instead created one manually so I have no
sidhistory on my AD account. I have set a ton of permissions around
the domains for myself and do not want to delete my AD account and by
chance lock myself out of something. The only way i know how to get
that attribute is using the admt but I dont want to take the chance
of deleting my ad account, so thats where the question came from.

Philip Nunn

Absolutely not, the attribute is protected and as such cannot be
written to (with the exception of purging its content) unless a
rather large list of requirements have been met. The sIDHistory
attribute must be protected in this way as it provides a means of
altering your effective identity within a forest (and potentially
between forests or foreign domains). The supported means of writing
to this attribute is governed by the DsAddSidHistory API, further
information regarding the afore mentioned constraints and the API
can be found at numerous locations including -

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/using_dsaddsidhistory.asp

Out of interest (and I seem to be asking this a lot lately), why do
you want to modify it manually?

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

I'm afraid you'll need to migrate it since it is the only safe,
plausable and supported option available to you ...

 

[Aleksey Tchekmarev]

below-

Thanks for the info...and to answer your question. I am in the process of
migrating our domain from NT 4 to a 2k domain structure and have been using
ADMT 2.0 to transfer the accounts and add in the sIDHistory attribute to the
users new AD accounts. However...I did not migrate my account but instead
created one manually so I have no sidhistory on my AD account. I have set a
ton of permissions around the domains for myself and do not want to delete
my AD account and by chance lock myself out of something. The only way i
know how to get that attribute is using the admt but I dont want to take the
chance of deleting my ad account, so thats where the question came from.

well, you can easily use the SIDhist.vbs script from ClonePrincipal. It works well, I tested this many times.
This is a smooth and safe operation.

hth,
-a

 

[Philip Nunn]

What is ClonePrincipal? I have never heard about this before. Where would
one find it?

Philip Nunn

below-


well, you can easily use the SIDhist.vbs script from ClonePrincipal. It

works well, I tested this many times.

 

[Philip Nunn]

Cool! I found the tool on the Windows 2000 server cd. Thanks for the info
on this! It looks like this is exactly what i needed!

Philip Nunn

 

[Dean Wells [MVP]]

Cool! I found the tool on the Windows 2000 server cd. Thanks for
the info on this! It looks like this is exactly what i needed!

Philip Nunn

Keep in mind that ClonePrincipal results in two accounts with the same
effective identity and, as such, may compromise the security of your
domain(s). If you intend on decommissioning the source domain, no
problem but that would not appear to be the case since you mentioned
concern about losing the source account.

Just an FYI ... glad you got what you needed.

Dean

 

[Pilosite]

Hi,

Same problem as above except this :

I would like to add the SID of 2 groups in the SidHistory of another group...In the same forest.

(why would he do this ???)

I want to do this to consolidate a few security groups used for delegation :

I need to use a brand new group and add the sidhistory of 2 old groups to preserve eventual NTFS rights on ressources. I can add this old groups to the new security groups, but this isn't really clean, and hard to manage.

there'snt any way to add sidhistory in the same forest ?

My question is :

do we have any method to achieve this (Security treat of sidhistory isn't a problem here, I manage it differently), or do you have another method to respond to this problem ?

thanks

 

[gexeg]

http://gexeg.blogspot.com/2009/12/active-directory.html