Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, August 21, 2012 8:36 PM
Hello to all, I'm on a cross forest migration from AD/Exchange 2003 --> AD 2008 / Exchange 2007 .
After doing ADMT with "Remove" option, the source objects will be removed from member servers and workstations. After that, I will do SID History Clean-up on target accounts. If a problem happens (access to printers, files, folders, etc) for specific users after SID History Clean-up, is possible to build a script to INSERT the SID History again on the problematic user (we tested and we can remove it but are not capable to insert SID History again)?
Best regards, EEOC.
All replies (7)
Tuesday, August 21, 2012 11:54 PM ✅Answered | 1 vote
There's no easy way to re-add SIDHistory. It can't be done with any of the standard AD tools. If you're up for some programming you can look at the DsAddSidHistory function.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms675918(v=vs.85).aspx
It's been a while since I've used ADMT, but wouldn't the simplest method be to just re-migrate the user with ADMT to repopulate the SIDHistory attribute?
Tony www.activedir.org blog:www.open-a-socket.com
Wednesday, August 22, 2012 2:59 AM ✅Answered
Hi,
As “Tony Murray” mentioned already, there’s no easy to re-add SIDHistory (I didn’t find and I don’t know such method). However, you can remigrate user account with SID history.
You can migrate user accounts in batches by using ADMT console, by using the ADMT command-line option, or by using a script.
Prepare a script that incorporates ADMT commands and options for migrating users by using the sample script below:
<Job id=" MigratingUserAccountsInBatchesBetweenForests" >
<Script language=" VBScript" src=" AdmtConstants.vbs" />
<Script language=" VBScript" >
Option Explicit
Dim objMigration
Dim objUserMigration
'
'Create instance of ADMT migration objects.
'
Set objMigration = CreateObject(" ADMT.Migration" )
Set objUserMigration = objMigration.CreateUserMigration
'
'Specify general migration options.
'
objMigration.SourceDomain = " source domain"
objMigration.SourceOu = " source container"
objMigration.TargetDomain = " target domain"
objMigration.TargetOu = " target container"
objMigration.PasswordOption = admtCopyPassword
objMigration.PasswordServer = " password export server name"
objMigration.ConflictOptions = admtReplaceConflicting + _
admtRemoveExistingUserRights + admtMoveReplacedAccounts
'
'Specify user migration specific options.
'
objUserMigration.SourceExpiration = 7
objUserMigration.MigrateSIDs = True
objUserMigration.TranslateRoamingProfile = True
objUserMigration.UpdateUserRights = False
objUserMigration.FixGroupMembership = True
objUserMigration.MigrateServiceAccounts = False
'
'Migrate specified user objects.
'
objUserMigration.Migrate admtData, Array(" user name1" ," user name2" )
Set objUserMigration = Nothing
Set objMigration = Nothing
</Script>
</Job>
For more information please refer to following MS articles:
Remigrating User Accounts and Workstations in Batches
http://technet.microsoft.com/en-us/library/cc755966(v=ws.10)
Migrating Accounts While Using SID History
http://technet.microsoft.com/en-us/library/cc974384(v=WS.10).aspx
Hope this helps!
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Lawrence
TechNet Community Support
Friday, August 24, 2012 2:23 PM ✅Answered
I don’t believe you can even use ADMT command line options to “Just” add SID history. You need perform a migration.
You can create a custom app to call DsAddSidHistory API to achieve this. Tony has provided the link.
Santhosh Sivarajan | Houston, TX
http://www.sivarajan.com/
This posting is provided AS IS with no warranties,and confers no rights.
Wednesday, August 22, 2012 1:28 AM
Thanks for the answer. I will consider using ADMT (command line options) for this so it could be done for a batch of users at the same time without the user interface burden (slows down).
Best regards, EEOC
Monday, August 27, 2012 3:37 AM
Hi,
I would like to confirm what is the current situation? Have you resolved the problem?
If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.
Lawrence
TechNet Community Support
Thursday, August 30, 2012 2:05 AM
Hi,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as 'Answered' as the previous steps should be helpful for many similar scenarios.
If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
In addition, we'd love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.
Thanks!
Lawrence
TechNet Community Support
Friday, August 31, 2012 1:22 PM
Hi,
I was building my fallback with this one here:
http://code.msdn.microsoft.com/windowsdesktop/SIDCloner-add-sIDHistory-831ae24b