none
Add one more SID for active directory User

    Question

  • Hi,

    I need power shell command for adding another SID id for active directory user.

    I have tried below but, no luck getting error please help me.

    Set-ADUser "User.Test" -sIDHistory "S-9-7-21-245123456-412699875-2393021864-987632"

    Thank you,

    Dheeraj

    Monday, December 12, 2016 9:28 AM

All replies

  • Hi,

    this attribute is protected and cannot be written to. In general, you should use specific tools like ADMT to update SID history attribute. 

    There is also DsAddSidHistory APi, that gets the primary account security identifier (SID) of a security principal from one domain (the source domain) and adds it to the sIDHistory attribute of a security principal in another (destination) domain in a different forest. You can read more about it here: Using DsAddSidHistory
    you can also check this helpful article: How to write (migrate) sidHistory with Powershell (1) 
    Hope this helps!


    Monday, December 12, 2016 9:57 AM
  • And also note that Set-ADUser doesn't have any SIDHistory parameter

    https://technet.microsoft.com/en-us/library/ee617215.aspx

    Monday, December 12, 2016 11:49 AM
  • Why do you need to do this? What are you trying to accomplish?

    Santhosh Sivarajan | Houston, TX | www.sivarajan.com
    ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA

    My Books: | Windows Server Security | Windows Server 2012

    Blogs | Twitter | LinkedIn | Facebook|

    This posting is provided AS IS with no warranties, and confers no rights.

    Monday, December 12, 2016 4:48 PM
    Moderator
  • Hi Dheeraj,
    As Santhosh asked: why do you want to add additional SID for user?
    A SID is a unique ID string that is assigned to each account created in a domain or on a local computer. For our purposes, we’ll just say that SID is how the operating system keeps track of accounts. Users refer to accounts by using the account name, but the operating system internally refers to accounts by their security identifiers (SIDs). For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local) and are never reused. So I doubt that it is possible to add additional one and it might also cause some major issues.
    Please see more information regarding how SID works:
    https://technet.microsoft.com/en-us/library/cc778824(v=ws.10).aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, December 14, 2016 2:46 AM
    Moderator
  • Wendy & Santhosh,

    First of all thank you for your quick replies.!

    Actually what happen, in our organization we are trying to migrate all user with mailboxes into another domain. initially we manually created some users in new domain. After that users are complains that, their Internet explorer flashes(Opens & closes) automatically, and windows explorer also not responding, and user not able open anything in that machine even C drive and another drive also. Finally we taken help ADMT tool with the help of that we will migrate rest of all users. So, obviously users  are able to work in their machines when migrated from tool.

    Anyway we were migrated all rest of all user and mailboxes into new domain and no issues till now. But, intially we have created around 800 users right.? now they are complaining that same issue (their Internet explorer flashes(Opens & closes) automatically, and windows explorer also not responding, and user not able open anything in that machine even C drive and another drive also.) so, we thinking that we try to export their SID from old domain to new domain and so, issue will be fix.

    Otherwise we simply delete user's AD account and migrate them from tool, but, also mailbox will be delete that is why we searching for another solution. I hope you people understand my situation and suggest me if any way for this kind of issues. Am waiting for your valuable response.

    Thanks,

    Dheeraj


    Regards, Dheeraj Reddy

    Thursday, December 15, 2016 9:49 AM
  • Hi,

    Thank you for the update, and according to you description, you could have a try to use script for copying the SID of a user in a source domain to the sidHistory of a user in a target domain, please see:

    https://gallery.technet.microsoft.com/scriptcenter/9b338347-c012-418b-84f6-efc5a148429b

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 19, 2016 2:09 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 23, 2016 7:16 AM
    Moderator