Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

modify sIDHistory

172 views
Skip to first unread message

Damir Kh. Shakirov

unread,
Jan 26, 2006, 10:17:01 AM1/26/06
to
Whether it is possible modify attribute sIDHistory by means of ADSI Edit?
I wish by means of ADMT to clone accounts from domain A in domain B. And
then to copy attribute sIDHistory at clones in this attribute already at
existing accounts.

Michael D'Angelo

unread,
Jan 26, 2006, 12:09:47 PM1/26/06
to
"Damir Kh. Shakirov" <DamirKh...@discussions.microsoft.com> wrote in
message news:0146C31B-D181-414A...@microsoft.com...

You can't use ADSI Edit to do this. There is an api you must call to do it.
Here is a sample in VB.NET which will do it.
Option Explicit On

Public Module SidHist

Public Sub ClonePrincipal(ByVal srcDC As String, ByVal srcDom As String,
ByVal srcSam As String, ByVal dstDC As String, ByVal dstDom As String, ByVal
dstSam As String)

' Create the COM object implementing ICloneSecurity Principal

Dim clonepr

clonepr = CreateObject("DSUtils.ClonePrincipal")

' Connect to the source and destination domain controllers

clonepr.Connect(srcDC, srcDom, dstDC, dstDom)

' Add the SID of the source principal to the sid history of the destination

' principal.

clonepr.AddSidHistory(srcSam, dstSam, 0)

End Sub

End Module


John E Davis

unread,
Jan 31, 2006, 4:35:27 PM1/31/06
to
Can someone explain this limitation so to speak?

I have also run into an issue where I used ADSI Edit in order to locate the
user that I wanted to modify. After going to the properties of the user I
selected sidHistory and pasted the octet value of the user sid that I wanted
to use. I selected add and then apply. I received a access denied error from
the system. The logged in user was the Enterprise and Schema Admin.

What process is the ADMT tool using that allows it to create and append the
old SID? I don't see why you can't manually replicate that without having to
use the tool. The main reason behind this, is E-Directory is being used to
create users in AD and publish the old SID in the attribute value of the user
created SID. At any rate, i just want to know if there is an easier way to
modify SIDHistory manually, without using any tools...because E-Directory is
unable to run Windows Tools, but it can call VBS Scripts to run.

Thanks,

John

John E Davis

unread,
Jan 31, 2006, 5:12:27 PM1/31/06
to
One key component that I did not add is this.

The source domain is SAMBA3 and the destination is Server 2003 AD Native Mode.

Jorge de Almeida Pinto [MVP]

unread,
Feb 1, 2006, 5:06:50 PM2/1/06
to
not possible to do it the way you are mentioning

try using the clone principal scripts from MS. (VB scripts) (reskit or supp.
tools)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"John E Davis" <JohnE...@discussions.microsoft.com> wrote in message
news:3F26FD28-26EE-4F9A...@microsoft.com...

0 new messages