PowerShell : How do I clear sIDhistory attribute ?


What is sIDhistory attribute ?

The sIDhistory attribute is the key attribute that holds the previous SID(s) of Users and Groups objects that facilitate the Active Directory migrations. It contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property. ADMT is one tool that allows you migrate SID from one domain to another, it calls on to the DsAddSidHistory API to accomplish this task.

However, there are times when you look into clearing the sIDhistory attribute after the migration is complete such as when you are attempting to avoid a token size bloat (kerberos token size threshold). You must do your homework before trying to remove sIDhistory, you should check the ACLs of your servers and applications and you should NOT clean up all groups (or users) at once, you should always try accessing the target resources and applications after sIDhistory has been cleared from a few groups/users, only after successful access (of a user that has re-authenticated – i.e. doesn’t have the SIDs from a group’s sIDhistory in his token), you should proceed with a mass removal.

To use PowerShell with Quest Cmdlets,

Get-QADUser user1 | %{Set-QADUser $_ -ObjectAttributes @{sIDHistory=@{delete=$_['sIDHistory']}}}

You may also pass a list of users or groups

Get-QADUser (get-content users.txt) | %{Set-QADUser $_ -ObjectAttributes @{sIDHistory=@{delete=$_['sIDHistory']}}}