Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Copying SID to SIDHistory

1,047 views
Skip to first unread message

Rich

unread,
Nov 11, 2003, 5:38:44 PM11/11/03
to
Hi all,

I am new to vbscript and I am trying to copy the SID from one
Domain account to the SIDhistory of an account in a different domain.

This is what I was thinking:

Set user = GetObject(LDAP path to user in old domain)


SID = user.Get("objectSid")
WScript.Echo SID

Set NewUser = GetObject(LDAP path to user in new domain)
NewUser.Put "sIDHistory", SID
NewUser.SetInfo

I get an error that says "a constraint violation has occured". Like I
said, I'm a noob so I may be on the wrong path or missing some critical
steps. I would appreciate any help, or if someone has done this, maybe a
clue as to which way to approach this problem.

Thanks,

Rich

Richard Mueller [MVP]

unread,
Nov 12, 2003, 3:00:31 PM11/12/03
to
Rich wrote:

Hi,

A couple of points. First, the objectSid attribute is syntax OctetString,
which is a byte array. VBScript cannot display (or create) a byte array.
However, VBScript can convert a byte array to a hex string, and it can copy
the value to another attribute. Second, the "sIDHistory" attribute is
multivalued. You must use the PutEx method to append the new value. For
example:

Const ADS_PROPERTY_APPEND = 3
Set User = GetObject(<AdsPath>)

SID = user.Get("objectSid")

Wscript.Echo OctetToHexStr(SID)

Set NewUser = GetObject(<AdsPath>)
NewUser.PutEx ADS_PROPERTY_APPEND, "sIDHistory", SID
NewUser.SetInfo

Function OctetToHexStr(arrbytOctet)
' Function to convert OctetString (byte array) to Hex string.
Dim k
OctetToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--


Rich

unread,
Nov 12, 2003, 7:02:23 PM11/12/03
to
Thanks for the reply Richard. The octet string to hex code
will definitly be useful. I also discovered some other
things on my own that I wanted to post for other users.
The "sIDHistory" property cannot be updated this way,
since it is a security issue. You have to use the
DsAddSidHistory API. MS has a pre made script called
sidhist.vbs that handles it very nicely.
Here is a link for more info.
http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/netdir/ad/using_dsaddsidhistory.asp

In the end, all I had to do was pass the correct
parameters to this script and it works great.

Thanks again for your response.

Rich

>.
>

Max L. Vaughn [MSFT]

unread,
Nov 17, 2003, 3:20:27 PM11/17/03
to
Just remember,

SidHistory is designed to be a short term fix to migration of permissions.
User's with SID history have larger kerberos and NTLM tokens since the
SIDs in the Sid history are applied to the token. Try to get to a point
were you do not need the Sid History for security resolution, then delete
the sid histories altogether.

Sincerely,
Max Vaughn [MS]
Microsoft Developer Support


Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights. You assume all risk for your use.

0 new messages