Powershell – Copy ObjectGuid to MS-DS-ConsistencyGuid


 

Not going to go into much detail on why this is needed just wanted to provide a quick and easy solution to automate this task via PowerShell.  If you plan on leveraging this to handle forest migrations and plan to use the MS-DS-ConsistencyGuid as a source anchor in Azure AD make sure to research these changes first and test.  Azure AD Connect will require some configuration that wont be covered in this post. 

 

This script sample can be ran as a schedule task or just ran by an admin as needed. This cmdlet will only update group and user objects that’s MS-DS-ConsistencyGuid  attribute contain no value.  Unlike most of my scripts I am not looping through the domains in a forest.

 

   1: get-adobject -ldapfilter "(&(|(objectClass=user)(objectClass=group))(!(IsCriticalSystemObject=TRUE))(!(mS-DS-ConsistencyGuid=*)))" -Properties mail, userprincipalname, objectguid, 'mS-DS-ConsistencyGuid' |`
   2: ForEach-Object {Set-adobject -Identity $_.DistinguishedName -Replace @{'mS-DS-ConsistencyGuid'=$($_.objectguid)}}

 

Use this to verify it worked

   1: get-adobject -ldapfilter "(&(|(objectClass=user)(objectClass=group))(!(IsCriticalSystemObject=TRUE)))" -Properties mail, userprincipalname, objectguid, 'mS-DS-ConsistencyGuid' |`
   2: select * -first 10
Comments (2)

  1. Jai Verma says:

    Thank you so much Chad, it is a LIFE SAVER!!!!! We are migrating users from one forest to another and users are already syncing to the tenant.

    1. Chad Cox says:

      Great, hopefully it worked for you.

Skip to main content