All,
Is it possible to restore sIDHistory attribute to an Active Directory object without restoring the whole object?
The sIDHistory attribute is a special field that is created while migrating an object from one domain/forest to another.
Basically, the object gets a new SID from the new domain, but retains the old SID (in sIDHistory field) so the user doesn't lose access to the original domain resources.
Veeam 9.5 update 2
Phil
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Oct 11, 2011 2:07 pm
- Full Name: Phil Zabel
- Contact:
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Oct 11, 2011 2:07 pm
- Full Name: Phil Zabel
- Contact:
Re: Restore sIDHistory attribute to AD object
Update: Even when I restored the entire user object, the sIDHistory attribute is blank.
Veeam tells me that the object was restored with a warning.
If I do a "Restore To" in Active Directory Restore Wizard, and I check "Selected attributes only" sIDHistory is there, but is is not selectable.
So is restore of sIDHistory not supported?
Phil
Veeam tells me that the object was restored with a warning.
If I do a "Restore To" in Active Directory Restore Wizard, and I check "Selected attributes only" sIDHistory is there, but is is not selectable.
So is restore of sIDHistory not supported?
Phil
-
- Expert
- Posts: 235
- Liked: 37 times
- Joined: Aug 06, 2013 10:40 am
- Full Name: Peter Jansen
- Contact:
Re: Restore sIDHistory attribute to AD object
Hi,
I wonder, any reaction on this? I have experienced the same. Last week we had an issue causing us to try restore SIDHistory and this didn't work. (FWiW, another tool also failed.) SIDHistory is a very special attribute it seems. In my tries restoring SIDHistory I noted the following: Just SIDHistory attribute didn't work. Completely removing the account (the account was tombstoned) and then restore it would also leave SIDHistory empty Restoring a very old backup of an account that was gone (and not tombstoned) did succeed, It also restored SIDHistory. So obviously there is something special going on with SIDHistory restore.
Peter
I wonder, any reaction on this? I have experienced the same. Last week we had an issue causing us to try restore SIDHistory and this didn't work. (FWiW, another tool also failed.) SIDHistory is a very special attribute it seems. In my tries restoring SIDHistory I noted the following: Just SIDHistory attribute didn't work. Completely removing the account (the account was tombstoned) and then restore it would also leave SIDHistory empty Restoring a very old backup of an account that was gone (and not tombstoned) did succeed, It also restored SIDHistory. So obviously there is something special going on with SIDHistory restore.
Peter
-
- Veteran
- Posts: 528
- Liked: 144 times
- Joined: Aug 20, 2015 9:30 pm
- Contact:
Re: Restore sIDHistory attribute to AD object
As far as I am aware, this would be a limitation Microsoft has imposed. If you could insert arbitrary values into this attribute, it could be used maliciously to elevate to domain admin. The only way to add values is using the DsAddSidHistory API, which requires both the source domain for the SID and the destination domain for sIDHistory to be available. sIDHistory is part of a migration path, but should not be used indefinitely. Part of a domain migration must include updating ACLs that use the old domain's SIDs and eventually decommissioning the sIDHistory attribute.
Who is online
Users browsing this forum: Bing [Bot], Google [Bot], Johnny L and 82 guests