Tuesday, October 23, 2012
Verifying SIDHistory of user accounts
When you're performing user and resource migration between forests with trust, it's important to enable SIDHistory and disable SID quarantine during the migration process. As migrated users on target forest will get new domain SIDs, it's important for them to retain the old SIDs in their originating forest. This is to ensure that the migrated users on new target forest are still able to access resources in the source forest until the migration is complete. This blog post sums it up using Active Directory Migration Tool (ADMT).
But how to verify a SID history of the migrated user is of the same SID in the source forest?
On new target forest:
dsquery * -Filter "(samaccountname=userid)" -attr sidHistory
On source forest:
dsquery * -Filter "(samaccountname=userid)" -attr objectSid
Compare the SID values of both output and ensure they are the same.