Active Directory Migration – How to remove sidHistory after migration – Part 2

As mentioned in my previous blog post regarding SID history, SID history can be both, burden and blessing. The recommendation from Microsoft is to clean up sidHistory from your accounts when migration is finished and all your Windows network resources have been re-ACLed (permissions of source domain accounts SIDs have been replaced by permissions of target domain SIDs).

Although it is not possible to remove sidHistory values like many other attribute values in Active Directory by using ADSIEDIT, LDAP or ADUC, there are still several ways to achieve this goal.

Caution: There is a big difference in how the tools handle the cleanup. Since sidHistory is a multi-value attribute and contain several SIDs from prior migrations, you might want to delete only SIDs related to specific domains.

Some of the tools erase the complete sidHistory value, some provide the option to delete selectively if there are multiple SIDs in the sidHistory.

1.Option: Use VB Script from Microsoft Support

DELETING SELECTIVELY: NO

For a very long time, a VB script is available from Microsoft support, which can be used to remove sidHistory. The raw version of this script is not very comfortable. You might need to adjust the coding.

The script can be downloaded here:

http://support.microsoft.com/kb/295758

Usage for ClearSidHistory.vbs is as follows:

cscript.exe ClearSidHistory.vbs -n=<name> [-o=<objectCategory>] [-c=<objectClass>]

-n=<name of the object you are looking for>

-o=<objectCategory of the object you are looking for>

-c=<objectClass of the object you are looking for>

Examples:

cscript.exe ClearSidHistory.vbs -n=My Contact

cscript.exe ClearSidHistory.vbs -n=Computer1 -o=computer

cscript.exe ClearSidHistory.vbs -n=James Smith -o=Person -c=user

Recommendation:

IT-Pro Arne Scherhag provides an extended version of this VB Script here:

http://www.winmigrationsite.de/sites/default/files/clearSidHistory_0.zip

2.Option: Use Microsoft Active Directory Module for Powershell

DELETING SELECTIVELY: NO

If you are used to the Active Directory Powershell commandlets, you can also delete sidHistory values programmatically.

Examples:

Delete sidHistory values in all user objects of the domain:

Get-ADUser –filter ‘sidhistory –like “*”’ –searchbase “dc=name,dc=name” –searchscope subtree –properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}

3.Option: Use Quest Active Roles Management Shell for Active Directory commandlets

DELETING SELECTIVELY: NO

If your scripting is based on Quest Active Directory Powershell extensions, you also can use the get-qaduser and get-qadgroup commands to erase the sidHistory values.

Example:

Get-QADUser “john wayne” | %{Set-QADUser $_ -ObjectAttributes @{sIDHistory=@{delete=$_[‘sIDHistory’]}}}

In Part 3 of this blog post, we will have a look at the tools which can selectively delete sidHistory.