A common question I see is “How do I clear all sIDHistory values in a domain?”. Microsoft does have a script on the support web site to accomplish this, you can find it at
http://support.microsoft.com/default.aspx?scid=kb;en-us;295758
I don’t have much direct experience with it but had folks that wanted me to modify it for them and heard complaints that it is slow or that it sometimes just breaks and people would like to know if I can figure it out for them. In general, my response is no. I am not a huge fan of vbscript and plus there is only so much work I can do for people to help them out for free and I would prefer to do something I am interested in. Can you blame me? 🙂
Anyway, this came to mind because as I was working through various tests with AdMod V01.07.00 I realized that it could do the cleanup of a domain’s sIDHistory value’s and it should be far faster than the matching vbscript and it is obviously considerably more flexible.
Here is an example:
[Sat 09/16/2006 12:57:04.51]
F:\Dev\CPP\AdMod>adfind -h 2k3dc02 -default -f sidhistory=* sidhistory
AdFind V01.31.00cpp Joe Richards (joe@joeware.net) March 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=joeuserdeny,OU=TestOU,DC=joe,DC=com
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1123
dn:CN=joeuserdeny2,OU=TestOU,DC=joe,DC=com
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1125
dn:CN=someuserchild,OU=TestOU,DC=joe,DC=com
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1128
dn:CN=someuserchild2,OU=TestOU,DC=joe,DC=com
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1129
dn:CN=someuserchild3,OU=TestOU,DC=joe,DC=com
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19400
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1138
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19401
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1139
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19402
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1140
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19403
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1141
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19404
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1142
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19405
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1143
>sIDHistory: S-1-5-21-1862701446-4008382571-2198042679-19406
>sIDHistory: S-1-5-21-3593593216-2729731540-1825052264-1144
5 Objects returned
[Sat 09/16/2006 12:59:22.10]
F:\Dev\CPP\AdMod>adfind -h 2k3dc02 -default -f sidhistory=* sidhistory -adcsv | admod sidhistory:–:{{sidhistory}} -upto 10
AdMod V01.07.00cpp_BETA1 Joe Richards (joe@joeware.net) September 2006
DN Count: 5
Using server: 2k3dc02.joe.com
Modifying specified objects…
DN: CN=joeuserdeny,OU=TestOU,DC=joe,DC=com…
DN: CN=joeuserdeny2,OU=TestOU,DC=joe,DC=com…
DN: CN=someuserchild,OU=TestOU,DC=joe,DC=com…
DN: CN=someuserchild2,OU=TestOU,DC=joe,DC=com…
DN: CN=someuserchild3,OU=TestOU,DC=joe,DC=com…
The command completed successfully
[Sat 09/16/2006 13:02:40.61]
F:\Dev\CPP\AdMod>adfind -h 2k3dc02 -default -f sidhistory=* sidhistory
AdFind V01.31.00cpp Joe Richards (joe@joeware.net) March 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
0 Objects returned
short warning: it should be crystal clear to anyone, that removing the SID-History values from accounts is nothing that can be undone easily. Especially if the source domain (for example an NT4 domain that you’ve migrated from) has been decomissioned. In this case you’ll only get it back by doing an authoritative restore of the respective objects from which SIDhistory was removed.
I’m not saying it shouldn’t be removed – this is certainly the goal. But I’ve seen many companies that removed SIDhistory before they were really ready to do so – i.e. there were plenty of resources that hadn’t been re-acled properly and access to public folders in Exchange was impacted as well.
So the warning is: do your homework before trying to remove SIDhistory, i.e. check the ACLs of your most critical servers and applications and don’t clean up all groups (or users) at once – you should always try accessing the target resources and applications after SIDhistory has been cleared from a few groups, only after successful access (of a user that has re-authenticated – i.e. doesn’t have the SIDs from a group’s SIDhistory in his token) continue with cleanup etc…
/Guido
Absolutely.
“short warning: it should be crystal clear to anyone, that removing the SID-History values from accounts is nothing that can be undone easily. Especially if the source domain (for example an NT4 domain that you’ve migrated from) has been decomissioned.”
But if the NT4 domain has been decommissioned, how would the user be authenticated? What good is SID History at that point? Without the source domains, SID History is useless.
Or am I missing something?
The only ways to get the sidhistory back is to do an object level restore or to rerun something to execute the DsAddSidHistory call.
The sIDHistory has nothing to do with authentication, it is authorization. When that user logs on, that SID will be inserted into their token or if you have an AD Domain that has an NT4 SID in the sIDHistory of an object, when you go to lookup that SID it will resolve to the AD object, not the NT4 domain.
Can this be targeted to a specific user? If so, will clearing a user’s sidhistory help to reduce the size of their access key, if they are having trouble accessing things because they are in too many groups? Or because it is unrelated to authentication, will this do nothing?
Sure, just set the adfind filter so that it finds that user… such as samaccountname=userid
It will reduce the size of the token but likely not by much as a user will not usually have many sidhistory values. Now if the groups all have sidhistory values too, that is a definite source of bloat and they should all be cleaned up. Other than that, look at the group memberships and clean up as necessary.