Active Directory Migration – How to remove sidHistory after migration – Part 2

As mentioned in my previous blog post regarding SID history, SID history can be both, burden and blessing. The recommendation from Microsoft is to clean up sidHistory from your accounts when migration is finished and all your Windows network resources have been re-ACLed (permissions of source domain accounts SIDs have been replaced by permissions of target domain SIDs).

Although it is not possible to remove sidHistory values like many other attribute values in Active Directory by using ADSIEDIT, LDAP or ADUC, there are still several ways to achieve this goal.

Caution: There is a big difference in how the tools handle the cleanup. Since sidHistory is a multi-value attribute and contain several SIDs from prior migrations, you might want to delete only SIDs related to specific domains.

Some of the tools erase the complete sidHistory value, some provide the option to delete selectively if there are multiple SIDs in the sidHistory.

1.Option: Use VB Script from Microsoft Support

DELETING SELECTIVELY: NO

For a very long time, a VB script is available from Microsoft support, which can be used to remove sidHistory. The raw version of this script is not very comfortable. You might need to adjust the coding.

The script can be downloaded here:

http://support.microsoft.com/kb/295758

Usage for ClearSidHistory.vbs is as follows:

cscript.exe ClearSidHistory.vbs -n=<name> [-o=<objectCategory>] [-c=<objectClass>]

-n=<name of the object you are looking for>

-o=<objectCategory of the object you are looking for>

-c=<objectClass of the object you are looking for>

Examples:

cscript.exe ClearSidHistory.vbs -n=My Contact

cscript.exe ClearSidHistory.vbs -n=Computer1 -o=computer

cscript.exe ClearSidHistory.vbs -n=James Smith -o=Person -c=user

Recommendation:

IT-Pro Arne Scherhag provides an extended version of this VB Script here:

http://www.winmigrationsite.de/sites/default/files/clearSidHistory_0.zip

2.Option: Use Microsoft Active Directory Module for Powershell

DELETING SELECTIVELY: NO

If you are used to the Active Directory Powershell commandlets, you can also delete sidHistory values programmatically.

Examples:

Delete sidHistory values in all user objects of the domain:

Get-ADUser –filter ‘sidhistory –like “*”’ –searchbase “dc=name,dc=name” –searchscope subtree –properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}

3.Option: Use Quest Active Roles Management Shell for Active Directory commandlets

DELETING SELECTIVELY: NO

If your scripting is based on Quest Active Directory Powershell extensions, you also can use the get-qaduser and get-qadgroup commands to erase the sidHistory values.

Example:

Get-QADUser “john wayne” | %{Set-QADUser $_ -ObjectAttributes @{sIDHistory=@{delete=$_[‘sIDHistory’]}}}

In Part 3 of this blog post, we will have a look at the tools which can selectively delete sidHistory.

7 thoughts on “Active Directory Migration – How to remove sidHistory after migration – Part 2

  1. It is advisable to use ADPW via QMM AD for SIDHISTORY removal if objects contain multiple SIDHistory values (e.g: values from previous migrations that were not cleaned up).

    ADPW will only remove the SIDHistory value migrated during the current QMM migration, and will not arbitrarily remove those SIDHistory values from other migrations.

    1. Hello Brad,
      when you migrate with Quest Migration Manager for Active Directory (QMM/AD), this is definitely the preferred way to remove sidHistory selectively.
      However, using Active Directory Processing Wizard (ADPW) requires to have a QMM/AD license while many customers are purely licensing Quest Migration Manager for Exchange (QMM/Ex) to run an Inter-Org Exchange migration. Part of the QMM/Ex is the Quest Directory Synchronization agent which sets sidHistory on target accounts, but ADPW is not.
      We will have a look into it in Part 3 of the sidHistory Removal thread. If you can share input for QMM ADPW and how to use it – appreciated!
      Thanks for comments
      Robert

      1. Hi Robert!

        Joeware has a good blog on the topic of selective SIDHistory removal (with a slant on using his adfind/admod utilities) which is a good read, if like you say – ADPW is not an option, and SIDHistory must be selectively removed for only specifics domain sid’s:

        http://blog.joeware.net/2009/06/10/1655/

  2. Run the following in PoSH where $UserDN is the user’s DN and $SID is the sidHistory you want to remove. Simple really.

    Set-ADObject -Identity $UserDN -Remove @{sidhistory=$Sid}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s