I received an email a couple of months ago from someone looking to remove SIDs from a specific domain from the sIDHistory attribute of all of their users. Here is the response I sent
So the ability to remove SID’s from sIDHistory is very simple and basic, you basically have to supply the specific SIDs you want removed. The -sc csh shortcut in AdMod relies on the SIDs to be cleared being passed to it from AdFind. So all you need to do is to filter the output from AdFind to the specific SIDs you want cleared versus all SIDs. You do that with the -mvfilter switch… You would specify the domain portion of the SID of the domain that you want to clean the SIDs out for… So say you have a user with a SID of S-1-5-21-1757981266-299502267-1801674531-19235, the domain portion of that SID is S-1-5-21-1757981266-299502267-1801674531. So to filter and just output objects with that SID you will want to add -mvfilter sidhistory=S-1-5-21-1757981266-299502267-1801674531 combined with -recmute to filter out objects that had a sIDHistory value but not from that domain.
You send that info across to AdMod with -adcsv and specify -sc csh and you should be good. I would recommend just running the AdFind command initially to output the objects and the SIDs so you can validate the info prior to clearing it.
Note that clearing the values from sIDHistory is basically one way… Once cleared, the only way to get it back is auth restore of the objects. So be sure you want to clear them. There is no way to arbitrarily stick values in that attribute.
So the whole adfind command for users would look something like
adfind -b search_base -f "&(objectcategory=person)(sidhistory=*)" sidhistory -adcsv -mvfilter sidhistory=domainSID
then combined with AdMod
adfind -b search_base -f "&(objectcategory=person)(sidhistory=*)" sidhistory -adcsv -mvfilter sidhistory=domainSID | admod -sc csh -unsafe
joe