none
Error code: 0x5 when trying to delete a account sidhistory in ADSI Edit

    Question

  • Error code: 0x5 when trying to delete a account sidhistory in ADSI Edit
    Operation failed. Error code: 0x5
    Access is denied.
    00000005: SecErr: DSID-031A1190, problem 4003
    (INSUFF_ACCESS_RIGHT), data 0"

    I am logged in as a member of the Domain Admins group. I logged in as administrator and I still get the same message.
    The option "Protect object from accidental deletion" was checked
    Any help is appreciated.

    Thursday, July 07, 2011 7:35 AM

Answers

All replies

  • The above error looks like permission issue. You need to uncheck protect from accidental deletion box.

    Did you see the below article to remove using script.

    http://support.microsoft.com/kb/295758

     

    Regards


    MVP-Directory Services

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    Thursday, July 07, 2011 10:21 AM
    Moderator
  • As you state "The option "Protect object from accidental deletion" was checked" Did you check the ACE for any Deny's on that specific object ?
     

    Thursday, July 07, 2011 10:25 AM
  • Thanks,Awinish Question: The current multi-domain single forest environment, the user is migrated in this forest many times, recently discovered in the old domain is now two users have the same of SIDhistory, what method I delete the same's SID? I see Kb295758.If the KB does not fit the current, I only need to remove one SIDhistory for AD account. Action: I am logged in as a member of the Domain Admins group,and Open ADSIEDIT.msc-Schema partition: set up an administrator full control to security attributes of SIDHistory. I logged in as administrator and I still get the same failed message. Operation failed. Error code: 0x5 Access is denied. 00000005: SecErr: DSID-031A1190, problem 4003 (INSUFF_ACCESS_RIGHT), data 0" Who can help me? Thank you very much.
    Thursday, July 07, 2011 2:17 PM
  • Hi,

     

    Have you tried to right click on the attribute and switch to Security tab to verify and modify the permissions?

     

    In addition, please also refer to the following Microsoft KB article:

     

    HOW TO: Find and Clean Up Duplicate Security Identifiers with Ntdsutil in Windows Server 2003

    http://support.microsoft.com/kb/816099

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 08, 2011 8:59 AM
    Moderator
  • I Have Full control for Security tab.
    Monday, July 11, 2011 12:33 AM
  • You won’t be able to delete sIDHistory value using ADSI Edit.   It is a protected attribute. You need to use a script.  Use the following script:

    http://support.microsoft.com/kb/295758


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Monday, July 11, 2011 1:07 AM
  • If your plan is to delete only one sIDHistory value, you can modify the VB script or use the following PowerShell script.

    http://technet.microsoft.com/en-us/library/powershell_remove_sid_history(WS.10).aspx

    Update filter based on your requirement - sidhistory –like “your sidhistory value”

    You can get the sIDHistory value using QSQUERY command - http://portal.sivarajan.com/2011/01/generate-sidhistory-report-using.html


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Monday, July 11, 2011 1:33 AM
  • to clear sIDHistory...
     
    adfind -default -f "sIDHistory=*" sidhistory -adcsv | admod -sc csh –unsafe
     
    download ADFIND/ADMOD from joeware.net
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Santhosh Sivarajan-" wrote in message news:f51e1a6e-bf7d-4327-b5ab-7c2482dd9c50...

    You won’t be able to delete sIDHistory value using ADSI Edit.   It is a protected attribute. You need to use a script.  Use the following script:

    http://support.microsoft.com/kb/295758


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Monday, July 11, 2011 5:43 AM
    Moderator
  •  

    Thanks  you very much.

    Monday, July 18, 2011 2:28 PM
  • I am experiencing the exact same issue, I need to delete a single SID histiry from a user object and not all entried for that user.

    I have tried the PowerShell script and modified it for the -filter entry so that it looks like this

    Get-ADUser –filter ‘sidhistory –like “S-1111-111-111”’ –searchbase “dc=name,dc=name” –searchscope subtree –properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}

    I get the following error in PowerShell when I execute the command

    Get-ADUser : Error parsing query: 'sidhistory -like "S-1111-111-111"' Error Message: 'Operator Not supported: ' at position: '1
    2'.
    At line:1 char:11
    + Get-ADUser <<<<  -filter 'sidhistory -like "
    S-1111-111-111"' -searchbase "dc=yyy,dc=xxx" -searchscope subtree -propertie
    s sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}
    }
        + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingEx
       ception
        + FullyQualifiedErrorId : Error parsing query: 'sidhistory -like "
    S-1111-111-111"' Error Message: 'Operator Not suppo
      rted: ' at position: '12'.,Microsoft.ActiveDirectory.Management.Commands.G
     etADUser

    I have also tried *1111 and that gives the same error

    This is not the SID that I am using but I have checked the SID with Get-ADUser -id user -property sIDHistory and input the appropriate SID value.

    Thanks

    Matt

    Tuesday, December 06, 2011 11:48 PM
  • Hello,

     

    Please read this article and use his solution.

    How To Remove SID History With PowerShell + Files

     

    regards

    Tuesday, December 06, 2011 11:57 PM