A common question I see is “How do I clear all sIDHistory values in a domain?”. Microsoft does have a script on the support web site to accomplish this, you can find it at
http://support.microsoft.com/default.aspx?scid=kb;en-us;295758
I don’t have much direct experience with it but had folks that wanted me to modify it for them and heard complaints that it is slow or that it sometimes just breaks and people would like to know if I can figure it out for them. In general, my response is no. I am not a huge fan of vbscript and plus there is only so much work I can do for people to help them out for free and I would prefer to do something I am interested in. Can you blame me? 
Anyway, this came to mind because as I was working through various tests with AdMod V01.07.00 I realized that it could do the cleanup of a domain’s sIDHistory value’s and it should be far faster than the matching vbscript and it is obviously considerably more flexible.
Here is an example:
[Sat 09/16/2006 12:57:04.51]
F:\Dev\CPP\AdMod>adfind -h 2k3dc02 -default -f sidhistory=* sidhistory
AdFind V01.31.00cpp Joe Richards (joe@joeware.net) March 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeuserdeny,OU=TestOU,DC=joe,DC=com
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1123
dn:CN=joeuserdeny2,OU=TestOU,DC=joe,DC=com
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1125
dn:CN=someuserchild,OU=TestOU,DC=joe,DC=com
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1128
dn:CN=someuserchild2,OU=TestOU,DC=joe,DC=com
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1129
dn:CN=someuserchild3,OU=TestOU,DC=joe,DC=com
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19400
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1138
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19401
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1139
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19402
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1140
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19403
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1141
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19404
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1142
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19405
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1143
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19406
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1144
5 Objects returned
[Sat 09/16/2006 12:59:22.10]
F:\Dev\CPP\AdMod>adfind -h 2k3dc02 -default -f sidhistory=* sidhistory -adcsv | admod sidhistory:–:{{sidhistory}} -upto 10
AdMod V01.07.00cpp_BETA1 Joe Richards (joe@joeware.net) September 2006
DN Count: 5
Using server: 2k3dc02.joe.com
Modifying specified objects…
DN: CN=joeuserdeny,OU=TestOU,DC=joe,DC=com…
DN: CN=joeuserdeny2,OU=TestOU,DC=joe,DC=com…
DN: CN=someuserchild,OU=TestOU,DC=joe,DC=com…
DN: CN=someuserchild2,OU=TestOU,DC=joe,DC=com…
DN: CN=someuserchild3,OU=TestOU,DC=joe,DC=com…
The command completed successfully
[Sat 09/16/2006 13:02:40.61]
F:\Dev\CPP\AdMod>adfind -h 2k3dc02 -default -f sidhistory=* sidhistory
AdFind V01.31.00cpp Joe Richards (joe@joeware.net) March 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
0 Objects returned
September 20th, 2006 at 9:14 am
short warning: it should be crystal clear to anyone, that removing the SID-History values from accounts is nothing that can be undone easily. Especially if the source domain (for example an NT4 domain that you’ve migrated from) has been decomissioned. In this case you’ll only get it back by doing an authoritative restore of the respective objects from which SIDhistory was removed.
I’m not saying it shouldn’t be removed - this is certainly the goal. But I’ve seen many companies that removed SIDhistory before they were really ready to do so - i.e. there were plenty of resources that hadn’t been re-acled properly and access to public folders in Exchange was impacted as well.
So the warning is: do your homework before trying to remove SIDhistory, i.e. check the ACLs of your most critical servers and applications and don’t clean up all groups (or users) at once - you should always try accessing the target resources and applications after SIDhistory has been cleared from a few groups, only after successful access (of a user that has re-authenticated - i.e. doesn’t have the SIDs from a group’s SIDhistory in his token) continue with cleanup etc…
/Guido
September 25th, 2006 at 10:35 pm
Absolutely.