Re: modify sIDHistory

Tech-Archive recommends: Speed Up your PC by fixing your registry

Can someone explain this limitation so to speak?

I have also run into an issue where I used ADSI Edit in order to locate the
user that I wanted to modify. After going to the properties of the user I
selected sidHistory and pasted the octet value of the user sid that I wanted
to use. I selected add and then apply. I received a access denied error from
the system. The logged in user was the Enterprise and Schema Admin.

What process is the ADMT tool using that allows it to create and append the
old SID? I don't see why you can't manually replicate that without having to
use the tool. The main reason behind this, is E-Directory is being used to
create users in AD and publish the old SID in the attribute value of the user
created SID. At any rate, i just want to know if there is an easier way to
modify SIDHistory manually, without using any tools...because E-Directory is
unable to run Windows Tools, but it can call VBS Scripts to run.

Thanks,

John


"Michael D'Angelo" wrote:

> "Damir Kh. Shakirov" <DamirKhShakirov@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> message news:0146C31B-D181-414A-9220-3D52C439BB18@xxxxxxxxxxxxxxxx
> > Whether it is possible modify attribute sIDHistory by means of ADSI Edit?
> > I wish by means of ADMT to clone accounts from domain A in domain B. And
> > then to copy attribute sIDHistory at clones in this attribute already at
> > existing accounts.
>
> You can't use ADSI Edit to do this. There is an api you must call to do it.
> Here is a sample in VB.NET which will do it.
> Option Explicit On
>
> Public Module SidHist
>
> Public Sub ClonePrincipal(ByVal srcDC As String, ByVal srcDom As String,
> ByVal srcSam As String, ByVal dstDC As String, ByVal dstDom As String, ByVal
> dstSam As String)
>
> ' Create the COM object implementing ICloneSecurity Principal
>
> Dim clonepr
>
> clonepr = CreateObject("DSUtils.ClonePrincipal")
>
> ' Connect to the source and destination domain controllers
>
> clonepr.Connect(srcDC, srcDom, dstDC, dstDom)
>
>
>
> ' Add the SID of the source principal to the sid history of the destination
>
> ' principal.
>
> clonepr.AddSidHistory(srcSam, dstSam, 0)
>
>
>
> End Sub
>
> End Module
>
>
>
.

Relevant Pages

  • Re: modify sIDHistory
    ... try using the clone principal scripts from MS. (reskit or supp. ... > selected sidHistory and pasted the octet value of the user sid that I ... >> Public Sub ClonePrincipal(ByVal srcDC As String, ByVal srcDom As String, ...
    (microsoft.public.windows.server.active_directory)
  • Re: modify sIDHistory
    ... The source domain is SAMBA3 and the destination is Server 2003 AD Native Mode. ... > selected sidHistory and pasted the octet value of the user sid that I wanted ... > old SID? ... >> Public Sub ClonePrincipal(ByVal srcDC As String, ByVal srcDom As String, ...
    (microsoft.public.windows.server.active_directory)
  • Re: modify sIDHistory
    ... > Whether it is possible modify attribute sIDHistory by means of ADSI Edit? ... > I wish by means of ADMT to clone accounts from domain A in domain B. And ... You can't use ADSI Edit to do this. ... Public Sub ClonePrincipal(ByVal srcDC As String, ByVal srcDom As String, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Systemkonto ermitteln
    ... Du die SID in einen String umformen. ... if(!LookupAccountSid(null, sid, name, ref cchName, referencedDomainName, ... ref cchReferencedDomainName, out sidUse)) { ...
    (microsoft.public.de.german.entwickler.dotnet.csharp)
  • Re: sidHistory and Groups
    ... external trust --> sid filtering by default enabled, sidhistory does NOT works ... SOURCEUSER is member of SOURCEGROUP ... SOURCEUSER is migrated to TARGETDOMAIN and becomes TARGETUSER with sid of SOURCEUSER in sidhistory and is member of TARGETGROUP ...
    (microsoft.public.windows.server.migration)