SID HISTORY: AD
Last steps with fixing SID history.
# Export AD groups. You MUST use Quest AD powershell addons because stock Microsoft powershell AD support fails when group has unresolved SIDs as members
# Get-adgroupmember just says completed successfully for such groups and returns no data
$Groups = Get-QADGroup -SizeLimit 0
$Data = $null
ForEach($SingleGroup in $Groups)
{ $Data += Get-QADGroupMember -SizeLimit 0 $SingleGroup | Select @{Name='Group SamAccountName';Expression={$SingleGroup.SamAccountName}},@{Name='Group Name';Expression={$SingleGroup.Name}},@{Name='Group SID';Expression={$SingleGroup.SID}},type,SamAccountName,Name,SID }
$Data | Sort "Group SamAccountName","SamAccountName" | Export-csv -Encoding unicode -NoTypeInformation adgroups-pre.csv
# Review resulting adgroups-pre.csv for any SIDs from old domains and fix them
# Delete sid history.. DANGER, WILL ROBINSON!
# Follow instructions here: http://blogs.technet.com/b/ashleymcglone/archive/2011/11/23/how-to-remove-sid-history-with-powershell.aspx
# Re-export AD groups for comparison
$Groups = Get-QADGroup -SizeLimit 0
$Data = $null
ForEach($SingleGroup in $Groups)
{ $Data += Get-QADGroupMember -SizeLimit 0 $SingleGroup | Select @{Name='Group SamAccountName';Expression={$SingleGroup.SamAccountName}},@{Name='Group Name';Expression={$SingleGroup.Name}},@{Name='Group SID';Expression={$SingleGroup.SID}},type,SamAccountName,Name,SID }
$Data | Sort "Group SamAccountName","SamAccountName" | Export-csv -Encoding unicode -NoTypeInformation adgroups-post.csv
# Review adgroups-post.csv and make sure there’s no new unresolved SIDs present
# Do same test for other types of rights such as mailbox, public folders, distribution lists etc.
# Export AD groups. You MUST use Quest AD powershell addons because stock Microsoft powershell AD support fails when group has unresolved SIDs as members
# Get-adgroupmember just says completed successfully for such groups and returns no data
$Groups = Get-QADGroup -SizeLimit 0
$Data = $null
ForEach($SingleGroup in $Groups)
{ $Data += Get-QADGroupMember -SizeLimit 0 $SingleGroup | Select @{Name='Group SamAccountName';Expression={$SingleGroup.SamAccountName}},@{Name='Group Name';Expression={$SingleGroup.Name}},@{Name='Group SID';Expression={$SingleGroup.SID}},type,SamAccountName,Name,SID }
$Data | Sort "Group SamAccountName","SamAccountName" | Export-csv -Encoding unicode -NoTypeInformation adgroups-pre.csv
# Review resulting adgroups-pre.csv for any SIDs from old domains and fix them
# Delete sid history.. DANGER, WILL ROBINSON!
# Follow instructions here: http://blogs.technet.com/b/ashleymcglone/archive/2011/11/23/how-to-remove-sid-history-with-powershell.aspx
# Re-export AD groups for comparison
$Groups = Get-QADGroup -SizeLimit 0
$Data = $null
ForEach($SingleGroup in $Groups)
{ $Data += Get-QADGroupMember -SizeLimit 0 $SingleGroup | Select @{Name='Group SamAccountName';Expression={$SingleGroup.SamAccountName}},@{Name='Group Name';Expression={$SingleGroup.Name}},@{Name='Group SID';Expression={$SingleGroup.SID}},type,SamAccountName,Name,SID }
$Data | Sort "Group SamAccountName","SamAccountName" | Export-csv -Encoding unicode -NoTypeInformation adgroups-post.csv
# Review adgroups-post.csv and make sure there’s no new unresolved SIDs present
# Do same test for other types of rights such as mailbox, public folders, distribution lists etc.
Comments
Post a Comment
Got something to say?!