I use a couple of great tools from joeware.net to remove a SID from a users SID History. I had a problem where the wrong user was mapped over during a migration when we were colasping multiple domains into one.
The 2 tools I used from joeware were adfind and admod, both free.
adfind -h IT-DC01 -default -f sAMAccountName=jackuser sidhistory
dn:CN=Jack User,OU=Employees,OU=People,DC=mydomain,DC=edu
>sIDHistory: S-1-5-23-4189335451-1674751469-1023141700-3124
>sIDHistory: S-1-5-23-4217985222-169311000002009-1212232504-146495
This listed the current SID's in the history of the users account. After deciding which one I wanted to removie I used admod to remove it.
admod -b "CN=Jack User,OU=Employees,OU=People,DC=mydomain,DC=edu"
sidhistory:-:S-1-5-23-4217985222-1000002009-1212232504-146495
Sid Removed and now where ready to take that SID and add it to the correct user account.
admod -b "CN=Jackie User,OU=Employees,OU=People,DC=mydomain,DC=edu"
sidhistory:+:S-1-5-23-4217985222-1000002009-1212232504-146495
Note: I found out after this post that this option does not work with SIDHistory. You will need to use the VB Script or ADMT to migrate the sid from the source domain.
Hi,
ReplyDeleteThanks for sharing your insightful thoughts and suggestions - very cool and helpful indeed.
In the spirit of sharing helpful information, thought I'd mention that one of my Microsoft colleagues informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports, such as which accounts are locked out, which accounts are set to expire in the next few days, which security groups are nested, where all a user may have permissions etc.
The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from http://www.paramountdefenses.com/goldfinger.php
Why bother writing complicated scripts or using unsupported command-line tools when you can use a 100% AUTOMATED, GUI based, FREE solution that is not only SUPPORTED but also ENDORSED by Microsoft?!
If you're into Active Directory security, then this tool is a must-have. Thought I'd share this helpful tip with you!
Sincerely,
JohnM