In an attempt to reduce future token bloat issues (no issues yet) and reduce our directories attack surface I've been tasked with removing specific Sid history. I've found a command that removes the entire thing, and the ADMT and ADSI tools remove individual accounts one-at-a-time, but I have 6,200 SID histories that need to be removed, and I cannot run the straight "clear attribute" command as there are still about 800 SID histories we need. So, does anyone know the best method on removing specific domain SID history on a large scale?

My three best leads thus far are:

1. Remove specifically by domain: Use use Get-SIDHistory to target the removal population with a specific query.  Second, pipe the output to Remove-SIDHistory.  bit.ly/ucL2Df 
2. Remove specifically by CSV: I'm unable to find a script tha tallows me to remove by user and SID history specifically. The closest script I've found is here (shariqsheikh.com/blog/index.php/201012/powershell-how-do-i-clear-sidhistory-attribute/), but that one listed sitll only removes by the attribute entirely, and not specifically by domain/SID.
3. Using JoeWare's free AdFind and AdMod tools (http://www.joeware.net/freetools/). This is probably my best bet, but because it is a third party application that leads me to not being sure how it'll be recieved in our environment.

Anyone have experience with those options, or have healthy alternatives? I've read all of PFE Ashley Mcglones SID blog posts (blogs.technet.com/b/ashleymcglone/), and every relevant search result on both Bing and Google for a few pages deep. Not too many options at this point.

Thanks for ANY input you guys have!

Oddly enough, I just finished reviewing a chapter for a forthcoming PowerShell Deep Dive book - the chapter was written by Ashley and it describes how to remove sid history.

The basic approach  is this:

1. Identify the servers involved in your ADmigration

2. Install Active Directory Migration Tool somewhere but NOT a DC.

3. Create a SID mapping file.

4. Run the ADMT security translation wizard against the old servers using the sid mapping file you just created.

5. With the ACLs 'fixed', purge SID history from users and groups, slowly and gradually. Starting with a small test gropup and go from there. And ALWAYS have a back up plan.

HTH

Hey Tom,

Thanks for taking the time to respond. Does the ADMT allow individual domain SIDs to be removed? I thought I read somewhere that it is only able to purge the attribute entirely, and not specifically. We've got users who still need access to certain older domains, but still need the old old domain entirely removed.

Thanks!

I am not certain if the ADMT tool allows you to remove a single SID at a time - you could ask that question over in the AD forums.

If you are large enough, you might consider getting help from MSFT - to ensure what what you do continues to be supportable.

There is this artlce by Ashley on what looks like a one-liner that will delete specific domain SIDs, but it's not catered to QAd.

http://blogs.technet.com/b/ashleymcglone/archive/2011/12/22/powershell-module-for-working-with-ad-sid-history.aspx

Hi CEE JAY JAY,

My article on removing SID history explains how to do this selectively by a number of different criteria, including by old domain.  Have you read this one?

http://blogs.technet.com/b/ashleymcglone/archive/2011/11/23/how-to-remove-sid-history-with-powershell.aspx

It looks like this is what you are referring to in the your option #1 above.  Does that not meet your requirements?  If not, what functionality are you missing?

To remove everything except the 800 you want to keep you could do a multiple step process like this:

1. Export-SIDMapping

2. Manually remove the 800 entries that you want to keep from the SIDReport.csv file.

3. Import-CSV .\SIDReport.csv | Select distinguishedName, @{name='SID';expression={$_.OldSID}} | Remove-SIDHistory

Off the top of my head that's one way to do it in mass but still being selective.  Please test in a lab first and verify that it works for you as needed.

Ashley McGlone, Microsoft PFE

http://aka.ms/GoateePFE

Hey Ashley,

I appreciate your reply. I must have read that article more then a few times. I interpreted it as removing the entire SIDhistory attribute by specified domain, and not selectively --as in clearing out the entire SID history attribute. But rereading it I now see this line: "This allows us to identify and target specific SID history entries when a user has been migrated more than once. "

So, even if an object has multiple SID history entries and I want to delete two out of the three listed, I can do that by (basically) rewriting some of those get-sidhistory commands you posted. For example:

• Get-SIDHistory DomainSID S-1-5-21-2371126157-4032412735-3953120161

Is this correct?

That is correct.  The Remove-SIDHistory function will only remove the multi-valued entry that is passed into it.  By specifying the domain SID in the Get-SIDHistory function you would only impact those entries when piping into Remove-SIDHistory.

Ashley McGlone, Microsoft PFE

http://aka.ms/GoateePFE

So that clears the entry in it's entirety? We need some SID history entries still kept, while having majority of them removed.

We had around 30 domains, and 14 are being or have been phased out. We need to remove SID history associated with those 14 domains while still keeping the active domains.  I ran that Sid_History mapping script you posted, and we have 7k Sid history entries, and matching the 14 domain SIDs to the that list, there are 6k that need to be removed.

If I run that Remove-SIDhistory it sounds like it will remove all SID history for that user, PERIOD. Or will it ONLY remove the specific phased-out domains while retaining active domains?

I don't mean to make it seem like I'm reasking what may have already been answered, I just want to be absolutely sure before I present the plan.

Thanks for taking the time to respond!

EDIT: Thinking about it more, I may just have the wrong idef of sID history. I've never dealt with it prior to researching how to remove it, last week. I imagine it as a field/attribute stored in the object. The entire sID is stored in this field: New-sID, old sID, old OLD sID --all in one field. If we were to run that remove-sID history, it would clear out that entire sID History field, removing both the relevant sid history(s) entry AND the one we actually want removed. Is this understand correct, or am I off base, here? Again, thanks for taking the time to help this young tech!

• Edited by CEE JAY JAY Tuesday, February 12, 2013 5:40 PM

One more time...    :-D

See this screenshot from ADSIEDIT featuring a user who has been migrated twice.  You can see two SID history entries in the multi-value attribute.

Use Get-SIDHistory to query for exactly the entries you want to remove.

Pipe that to Remove-SIDHistory.

Only those entries will be removed.  All other entries will remain.

Hope this helps.  :-D

Ohhhhhhhh... yes, that makes much more sense. I really appreciate you putting up with this my ignorance in this, Ashley!

I will now labor to understand how to best fit that code to our environment!

As an update, here is the script that is going to be used for the process:

#sID history deletion for users

$accounts = Get-Content "\\***directory***\sid-users.txt"

foreach ($account in $accounts){

 Get-QADUser $account | %{Set-QADUser $_ -ObjectAttributes @{sIDHistory=@{delete=$_['sIDHistory']}}}

}

I am importing the content by running the sID history report, pulling the names as needed, and then putting them into a plain txt file for the script to pull from.

Check this out:

http://www.schneider-soft.de

SID-Histories GUI-Based Tool