As mentioned in my previous blog post regarding SID history, SID history can be both, burden and blessing. The recommendation from Microsoft is to clean up sidHistory from your accounts when migration is finished and all your Windows network resources have been re-ACLed (permissions of source domain accounts SIDs have been replaced by permissions of target domain SIDs).
Although it is not possible to remove sidHistory values like many other attribute values in Active Directory by using ADSIEDIT, LDAP or ADUC, there are still several ways to achieve this goal.
Caution: There is a big difference in how the tools handle the cleanup. Since sidHistory is a multi-value attribute and contain several SIDs from prior migrations, you might want to delete only SIDs related to specific domains.
Some of the tools erase the complete sidHistory value, some provide the option to delete selectively if there are multiple SIDs in the sidHistory.
1.Option: Use VB Script from Microsoft Support
DELETING SELECTIVELY: NO
For a very long time, a VB script is available from Microsoft support, which can be used to remove sidHistory. The raw version of this script is not very comfortable. You might need to adjust the coding.
The script can be downloaded here:
http://support.microsoft.com/kb/295758
Usage for ClearSidHistory.vbs is as follows:
cscript.exe ClearSidHistory.vbs -n=<name> [-o=<objectCategory>] [-c=<objectClass>]
-n=<name of the object you are looking for>
-o=<objectCategory of the object you are looking for>
-c=<objectClass of the object you are looking for>
Examples:
cscript.exe ClearSidHistory.vbs -n=My Contact
cscript.exe ClearSidHistory.vbs -n=Computer1 -o=computer
cscript.exe ClearSidHistory.vbs -n=James Smith -o=Person -c=user
Recommendation:
IT-Pro Arne Scherhag provides an extended version of this VB Script here:
http://www.winmigrationsite.de/sites/default/files/clearSidHistory_0.zip
2.Option: Use Microsoft Active Directory Module for Powershell
DELETING SELECTIVELY: NO
If you are used to the Active Directory Powershell commandlets, you can also delete sidHistory values programmatically.
Examples:
Delete sidHistory values in all user objects of the domain:
Get-ADUser –filter ‘sidhistory –like “*”’ –searchbase “dc=name,dc=name” –searchscope subtree –properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}
3.Option: Use Quest Active Roles Management Shell for Active Directory commandlets
DELETING SELECTIVELY: NO
If your scripting is based on Quest Active Directory Powershell extensions, you also can use the get-qaduser and get-qadgroup commands to erase the sidHistory values.
Example:
Get-QADUser “john wayne” | %{Set-QADUser $_ -ObjectAttributes @{sIDHistory=@{delete=$_[‘sIDHistory’]}}}
In Part 3 of this blog post, we will have a look at the tools which can selectively delete sidHistory.
Cloudy Migration Life 
It is advisable to use ADPW via QMM AD for SIDHISTORY removal if objects contain multiple SIDHistory values (e.g: values from previous migrations that were not cleaned up).
ADPW will only remove the SIDHistory value migrated during the current QMM migration, and will not arbitrarily remove those SIDHistory values from other migrations.
Hello Brad,
when you migrate with Quest Migration Manager for Active Directory (QMM/AD), this is definitely the preferred way to remove sidHistory selectively.
However, using Active Directory Processing Wizard (ADPW) requires to have a QMM/AD license while many customers are purely licensing Quest Migration Manager for Exchange (QMM/Ex) to run an Inter-Org Exchange migration. Part of the QMM/Ex is the Quest Directory Synchronization agent which sets sidHistory on target accounts, but ADPW is not.
We will have a look into it in Part 3 of the sidHistory Removal thread. If you can share input for QMM ADPW and how to use it – appreciated!
Thanks for comments
Robert
Hi Robert!
Joeware has a good blog on the topic of selective SIDHistory removal (with a slant on using his adfind/admod utilities) which is a good read, if like you say – ADPW is not an option, and SIDHistory must be selectively removed for only specifics domain sid’s:
http://blog.joeware.net/2009/06/10/1655/
Sorry – here is the more in depth link from JoeWare, covering removal of SIDHistory for specific domain sid’s, using adfind/admod:
http://blog.joeware.net/2011/11/20/2338/
Run the following in PoSH where $UserDN is the user’s DN and $SID is the sidHistory you want to remove. Simple really.
Set-ADObject -Identity $UserDN -Remove @{sidhistory=$Sid}
Hi,
Can’t find the 3rd part ?
Jeff
Hi Folks,
a very usefull article!
If you want you can also use MySIDHistoryTool, a super to use Tool fpr migrating or removing specific SIDs from the SIDHistory-List.
Its freeware an available here: http://www.schneider-soft.de
Tonio