Powershell – Copy ObjectGuid to MS-DS-ConsistencyGuid


 

Not going to go into much detail on why this is needed just wanted to provide a quick and easy solution to automate this task via PowerShell.  If you plan on leveraging this to handle forest migrations and plan to use the MS-DS-ConsistencyGuid as a source anchor in Azure AD make sure to research these changes first and test.  Azure AD Connect will require some configuration that wont be covered in this post. 

 

This script sample can be ran as a schedule task or just ran by an admin as needed. This cmdlet will only update group and user objects that’s MS-DS-ConsistencyGuid  attribute contain no value.  Unlike most of my scripts I am not looping through the domains in a forest.

 

get-adobject -ldapfilter "(&(|(objectClass=user)(objectClass=group))(!(IsCriticalSystemObject=TRUE))(!(mS-DS-ConsistencyGuid=*)))" `
    -Properties mail, userprincipalname, objectguid, 'mS-DS-ConsistencyGuid' | ForEach-Object {
        Set-adobject -Identity $_.DistinguishedName -Replace @{'mS-DS-ConsistencyGuid'=$($_.objectguid)}}

Use this to verify it worked

get-adobject -ldapfilter "(&(|(objectClass=user)(objectClass=group))(!(IsCriticalSystemObject=TRUE)))" `
    -Properties mail, userprincipalname, objectguid, 'mS-DS-ConsistencyGuid' | select `
    samaccountname, mail, objectguid, @{name='ms-ds-consistencyguid';expression={[guid]$_.'ms-ds-consistencyguid'}} -First 10

 

update:

Results

image

Comments (5)

  1. Jai Verma says:

    Thank you so much Chad, it is a LIFE SAVER!!!!! We are migrating users from one forest to another and users are already syncing to the tenant.

    1. Chad Cox says:

      Great, hopefully it worked for you.

  2. Peter Johnson says:

    I must be confused or something. When I use get-aduser to retrieve the ms-ds-consistencyguid it’s show as what appears to be Hex array. How do I convert it so I can base64 encode to compare the value against the ImmutableID from Azure?

  3. Chad Cox says:

    get-aduser chad -Properties “ms-ds-consistencyguid” | select samaccountname, objectguid, @{name=’ms-ds-consistencyguid’;expression={[GUID]$_.’ms-ds-consistencyguid’}}

    you can type it as a [guid]

    1. Yas says:

      Awesome. thanks a million

Skip to main content