Re: adding sIDHistory to an AD account
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 05/20/04
- Next message: Joe Richards [MVP]: "Re: SIDHistory"
- Previous message: Blake: "delete the ability to move computers from one OU to another"
- In reply to: fred: "Re: adding sIDHistory to an AD account"
- Next in thread: Fred: "Re: adding sIDHistory to an AD account"
- Reply: Fred: "Re: adding sIDHistory to an AD account"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 20 May 2004 11:31:17 -0400
I won't speak to the GUIs, I don't like them. They are a programmers
interpretation of the underlying api's and info, not necessarily what is real.
You should have a trust for the migration so why not assign the permission to
the new user object from AD?
Otherwise assuming the users have 2K3 mailboxes I would say you want to delete
the user object from AD, remigrate the user, reconnect the mailbox to the new
user object (either via ESM or WMI Script). You may want to go tag an Exchange
group though to be sure as this is more Exchange specific than AD specific.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net fred wrote: > Thanks > > I find it strange that the gui looks like it allows adds and removes but doesn't work. Oh well. > > I'm migrating from Exchange 5.5 on NT4 to Exchange 2003 on a seperate Win2003 domain. A user migrated to Win2003 needs access to some resources on NT4. Most accounts had the SIDHistory populated with ADMT2 however some accounts (eg recreated after mistaken AD delete) don't have the sidhistory. > > What tools should I use to populate the SidHistory? > Is there a script for win2003? > Is ClonePrincipal (the win2000 tool) supported for 2003? > If I run ADMT2 and migrate the account to AD again (different account name) can I run ADClean to merge the accounts? > > ----- Joe Richards [MVP] wrote: ----- > > sIDHistory is a touchy thing because it can be a HUGE security hole. In order to > update sid history you have to use a script or program that someone wrote that > calls DsAddSidHistory. There are special rules around the whole operation, see > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/using_dsaddsidhistory.asp > > also > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/dsaddsidhistory.asp > > > Basically you can't just insert whatever SID you want in. > > > -- > Joe Richards Microsoft MVP Windows Server Directory Services > www.joeware.net > > > > fred wrote: > > I have a number of Active Directory accounts that I need to add the sIDHistory attribute. > >> I know the sid and want to add it to the account using ADSIedit. Using the GUI I add the sid in HEX and click OK. When I go to close the User properties dialog box ADSIedit presents a error with "Access is denied". > >> I'm running ADSIedit on a DC > > I'm using a Domain Admin account (tried 2 different Dom Admin accounts) > >> Why? How are you meant to manually add a SID to the sIDHistory attribute?? >
- Next message: Joe Richards [MVP]: "Re: SIDHistory"
- Previous message: Blake: "delete the ability to move computers from one OU to another"
- In reply to: fred: "Re: adding sIDHistory to an AD account"
- Next in thread: Fred: "Re: adding sIDHistory to an AD account"
- Reply: Fred: "Re: adding sIDHistory to an AD account"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
