PowerShell Module for Working With AD SID History

The functions provided in this module will give you visibility into the status of your SID history throughout the Active Directory Forest, help you translate SID history in NTFS ACLs, and easily target SID history removal.

 
 
 
 
 
4.8 Star
(22)
10,900 times
Add to favorites
Active Directory
9/5/2014
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Restore SIDHistory from AD backup ?
    1 Posts | Last post July 10, 2018
    • Hello, 
      
      I have read that restoring the SIDHistory from AD backup is not possible as the only way to inject SIDHistory into object is from the DsAddSidHistory API, which need both source and destionation Domain.
      
      Could you confirm ?
      
      Thank you.
  • the specified module sidhistory
    1 Posts | Last post November 28, 2017
    • I have run this exactly as written and I am getting the Import-Module : The specified module 'SIDHistory' was not loaded because no valid module file was found in any module directory.
      
      Does anything change if it is run on a Windows Server 2012 R2 computer?
      
  • Updates or open to updating?
    1 Posts | Last post September 06, 2017
    • I see this as beneficial and exciting, I would like to put it on gethub and post a link in psgallery to make it available to download via powershell nuget. please contact me for questions/concerns.
  • DomainLocalGroup query issue
    1 Posts | Last post June 21, 2017
    • I was using the function Export-SIDMappingCustom and on line 891 the domain local grouptype should be -2147483644 (it's -2147483643 in the module).
  • SIDMapping file and Domain Users
    1 Posts | Last post January 19, 2015
    • Hello, I have found that these commands do not work with Domain Users, is that by design?
  • Unabel to run GET-SIDHistory
    2 Posts | Last post January 19, 2015
    • Im unable to run get-sidhistory -domainname name.abc I am getting error message that unable to find csv file. Im trying to get a list of old AD history on users OU. 
    • Hello Russ,
      You should first run Export-SIDMapping instead of Get-SIDHistory.  Get-SIDHistory is a helper function used during SID history removal primarily.  Watch the video here for a tutorial on how to use the cmdlets:
      http://blogs.technet.com/b/ashleymcglone/archive/2013/07/02/microsoft-pfe-ashley-mcglone-speaking-for-mspsug-virtual-user-group-on-tuesday-july-9th-at-8-30pm-cdt.aspx
      
      Ashley
      @GoateePFE
  • Point of clarification
    2 Posts | Last post January 02, 2014
    • The vast majority of accounts have the same samaccountnames. I believe I can just use the command line ADMT with a merge switch, no? Or just use the existing mapping file I have where I attempt to match the accounts using their employeeid, and then it would go something like this- http://blog.thesysadmins.co.uk/admt-series-9-merging-users-with-a-different-samaccountname.html
      
      I will still need to create a mapping file to address our NetApp with 20+ TB of Cifs data on it, with lots of individual ACE's.... 
      
      Thanks,
      Jon
    • Hello Jon,
      The scripts in the SIDHistory PowerShell module will create the ADMT include file referenced in the link you provided.  It sounds like that would be your best path based on the information provided.
      Thanks,
      Ashley
  • Appending SIDHistory
    1 Posts | Last post December 31, 2013
    • Ashley,
      
      You are correct, in my case the target account were already created via Quest Powershell / ARS, and are linked via OIM. I simply need a way to append the SIDHistory of the source accounts to the target, and then use your toolkit in a scenario you've described to remap the ACE to the new SID's (for cleanup purposes, since I assume the target accounts' SIDHistory would allow access to the object in the source domain). Any thoughts on this script for the job-
      
      http://gallery.technet.microsoft.com/scriptcenter/9b338347-c012-418b-84f6-efc5a148429b
      
      Thanks,
      Jon
  • So after I use Export-SIDMappingCustom..
    2 Posts | Last post December 18, 2013
    • Ashley,
      
      Thanks for getting back to me so quickly, but after I use Export-SIDMappingCustom, what are the next steps? Do I run ADMT using that export as a reference file, or do I use the Update-SIDMapping cmdlet? I am going to try and finish all your blog posts to try and pick up some of the pieces that I a missing, but an overview of what would need to occur in the scenario you outlined here, that would be great.-
      
      'I had a customer who was not able to use the Active Directory Migration Tool for a domain migration.  The newly acquired subsidiary was not allowed to create a trust for compliance reasons.  Obviously we need a trust to do a migration.  Or do we?'
      
      I am following up in to the point I have a mapping file. Is that where ADMT is used to merge the objects? 
      
      Thanks!
      Jon
    • Hi Jon,
      
      It sounds like the accounts are already migrated.  I am not aware of any tool that will apply SID history to accounts that have already been build with different names.
      
      Now you need to re-ACL the resources and file shares using the custom SID mapping file you created based on the common account attribute.  You can do that using the ADMT and this PowerShell module.  Continue reading all of the documentation here:  http://aka.ms/SIDHistory .  Let me know if that does not answer your questions.
      
      Ashley
      GoateePFE
      
  • Can this module actually merge accounts' SIDHistory between forests
    2 Posts | Last post December 16, 2013
    • I have an interesting situation where due to several acquisitions, we have to migrate the acquired companies objects in to the parent companies domain. Unfortunately due to a requirement to have everyone using resources in the parent companies domain immediately, the accounts were created via a batch powershell script, and not created via an ADMT migration. Furthermore, they were created using HR data, and do not necessarily have the same SAMaccountname / UPN. I have remedied this to where the account now have a 'key-field' where they both share the same employeeID, but I still need to find the best way to merge the objects, and in particular get the SID History to the target domain.
      
      Will this module help? I have installed it an am looking at the cmdlets, but I don't see a 'Set-SIDHistory' Is this supposed to be used inconjunction with ADMT v3.2, or merely for auditing purposes, save the Convert-SIDHistoryNTFS?
      
      I am also evaluating these .NET based ADMT powershell scripts-
      
      http://poshcode.org/2048
      http://blog.powershell.no/tag/admt-3-2/
      
      And am wondering if I should be using aspects of each of these projects, before we need to have a Quest PSE come in to use their tool to migrate our objects.
      
      Thanks,
      Jon
    • Hello Jon,
      
      Good question.  The best way to set SID history is with ADMT or a similar tool.  However, you can match and map accounts with a common field using the function "Export-SIDMappingCustom".  That allows you to "fake" SID history for purposes of the module.  See the help or read about it here: http://blogs.technet.com/b/ashleymcglone/archive/2013/07/09/active-directory-powershell-sidhistory-module-update-1-5.aspx
      
      Hope this helps,
      Ashley (GoateePFE)
1 - 10 of 12 Items