Comprehensive data protection for all workloads
Post Reply
pzabel
Lurker
Posts: 2
Liked: never
Joined: Oct 11, 2011 2:07 pm
Full Name: Phil Zabel
Contact:

Restore sIDHistory attribute to AD object

Post by pzabel »

All,
Is it possible to restore sIDHistory attribute to an Active Directory object without restoring the whole object?
The sIDHistory attribute is a special field that is created while migrating an object from one domain/forest to another.
Basically, the object gets a new SID from the new domain, but retains the old SID (in sIDHistory field) so the user doesn't lose access to the original domain resources.

Veeam 9.5 update 2

Phil
pzabel
Lurker
Posts: 2
Liked: never
Joined: Oct 11, 2011 2:07 pm
Full Name: Phil Zabel
Contact:

Re: Restore sIDHistory attribute to AD object

Post by pzabel »

Update: Even when I restored the entire user object, the sIDHistory attribute is blank.
Veeam tells me that the object was restored with a warning.
If I do a "Restore To" in Active Directory Restore Wizard, and I check "Selected attributes only" sIDHistory is there, but is is not selectable.

So is restore of sIDHistory not supported?

Phil
Peejay62
Expert
Posts: 235
Liked: 37 times
Joined: Aug 06, 2013 10:40 am
Full Name: Peter Jansen
Contact:

Re: Restore sIDHistory attribute to AD object

Post by Peejay62 »

Hi,
I wonder, any reaction on this? I have experienced the same. Last week we had an issue causing us to try restore SIDHistory and this didn't work. (FWiW, another tool also failed.) SIDHistory is a very special attribute it seems. In my tries restoring SIDHistory I noted the following: Just SIDHistory attribute didn't work. Completely removing the account (the account was tombstoned) and then restore it would also leave SIDHistory empty Restoring a very old backup of an account that was gone (and not tombstoned) did succeed, It also restored SIDHistory. So obviously there is something special going on with SIDHistory restore.

Peter
nmdange
Veteran
Posts: 528
Liked: 144 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Restore sIDHistory attribute to AD object

Post by nmdange »

As far as I am aware, this would be a limitation Microsoft has imposed. If you could insert arbitrary values into this attribute, it could be used maliciously to elevate to domain admin. The only way to add values is using the DsAddSidHistory API, which requires both the source domain for the SID and the destination domain for sIDHistory to be available. sIDHistory is part of a migration path, but should not be used indefinitely. Part of a domain migration must include updating ACLs that use the old domain's SIDs and eventually decommissioning the sIDHistory attribute.
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Johnny L and 82 guests