Post domain migration – removing sidHistory

After a successful domain migration, you may be in a situation where it is necessary to remove the sidHistory attributes from objects in your new domain. There are many ways to do this, and many migration tools provide that capability straight out of the box. You could of course use something like ADSIEdit to manually edit each object, but this can be time consuming if there are more than a handful of objects to update.

I've just been through the process of a domain migration on my home setup, and being a bit of a scripting junkie didn't want to go through a manual update process (even though there were only five accounts being migrated). I used a variation of the script in knowledgebase article 295758 which performed the job admirably. Admittedly, it took me longer than a manual migration would have done when there were only five accounts, but if you're in the hundreds or even thousands, this script could save you a lot of time.


Comments (1)
  1. wayne byarlay says:

    I may be needing to do this soon. I’m managing a migration from NT 4.0 domains to an active directory here at the Purdue Libraries.

    My plan is to "add" security to files, folders, and shares, in case I need to revert back to the NT domain (CYA technique). However, once the AD has been up for a while and everybody’s happy, I’ll want to get rid of all those "Account Unknown" SID entries on stuff. This looks like just the trick… Of course, I believe the Security and Policy Migratio Wizard would also take care of this too, but if you’re a scripting junkie I guess you’d want some .cmd way of doing things. 🙂

Comments are closed.

Skip to main content