SS Technology Forum
Not logged in [Login ]
Go To Bottom

Printable Version  
Author: Subject: SID Vs SIDHistory
Viki
Junior Member
**




Posts: 3
Registered: 5/18/2011
Location: USA
Member Is Offline


[*] posted on 5/18/2011 at 07:33 PM
SID Vs SIDHistory


Can you explain the difference between SID and SIDHistory?

Thanks,
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 6/7/2011 at 10:07 AM


Please refer the following article:
http://technet.microsoft.com/en-us/library/cc961625.aspx

When a new domain user or group account is created, Active Directory stores the account's SID in the Object-SID (objectSID) property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory, not just User and Group objects. Each object's GUID is stored in its Object-GUID (objectGUID) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object's GUID will yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by Object-GUID might be the most reliable way of finding the object you want to find. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.

However, SIDs can sometimes change. The SID for a Group object won't change. Groups stay in the domain where they were created. But people move and when they do, their accounts can move with them. If Alice moves from North America to Europe, but stays in the same company, her account can be transferred with her. An administrator for the enterprise can simply move her User object from, say, Reskit\Noam to Reskit\Euro. If he does, the User object for Alice's account needs a new SID. The domain identifier portion of a SID issued in Noam is unique to Noam, so the SID for Alice's account in Euro has a different domain identifier. The relative identifier portion of a SID is unique relative to the domain, so if the domain changes, the relative identifier also changes.

Thus when a User object moves from one domain to another, a new SID must be generated for the user account and stored in the Object-SID property. Before the new value is written to the property, the previous value is copied to another property of a User object, SID-History (sIDHistory). This property can hold multiple values. Each time a User object moves to another domain, a new SID is generated and stored in the Object-SID property and another value is added to the list of old SIDs in SID-History. When a user logs on and is successfully authenticated, the domain authentication service queries Active Directory for the all of the SIDs associated with the user—the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All of these SIDs are returned to the authentication client and are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token, including one of the SIDs in SID-History, could allow or deny the user access.

Also, you can see more info and script in my following blog:

http://portal.sivarajan.com/2010/12/powershell-script-search-active...

When a User object migrated from one domain to another, a new SID must be generated for the user account and stored in the ObjectSID property. Before the new value is written to the property, the previous value (ObjectSID from source domain) is copied to another property of a User object, sIDHistory in the Target domain. So you can use the sIDHistory value to search the Source domain using the ObjectSID attributes to identify the corresponding user in the Source domain. In other words, the sIDHistory value will be equal to the source ObjectSID.




Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
Viki
Junior Member
**




Posts: 3
Registered: 5/18/2011
Location: USA
Member Is Offline


[*] posted on 6/10/2011 at 01:25 PM


Thank you!

I posted another question...:):)
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 6/10/2011 at 01:43 PM


You are welcome!:)



Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
Santhosh Sivarajan
Super Administrator
Thread Closed
10/20/2011 at 02:12 PM

  Go To Top

Powered by XMB
Powered by SiteGround Web Hosting

XMB Forum Software © 2001-2009 The XMB Group
[Queries: 16] [PHP: 60.1% - SQL: 39.9%]