SID History

  • 831 Views
  • Last Post 4 weeks ago
venkatbabu posted this 16 March 2007

Hi all
Is it possible to add in a 'SID History' to an already
establish AD account? is there any special tool / script available to
perform this..

Basically, There is two accoutns
A and B present in the Windows 2003 R2, I need to update the
SIDHistory of Account A to hold the SID of Account B.
Thanks in Advance

Venkat

Order By: Standard | Newest | Votes
ZJORZ posted this 16 March 2007

first thing that comes to mind?

WHY?

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU ISA Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :

show

bdesmond posted this 16 March 2007

Jorge is on a plane, but when we discussed this earlier in the day we both were wondering why you want to do this. Can you elaborate?
Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

show

ZJORZ posted this 16 March 2007

either you just MERGE accounts and sidhistory (and other attribute information) (or use the command version of ADMT to exclude other attributes)

OR

use the cloneprincipal script from MS Resource Kit

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU ISA Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :

show

venkatbabu posted this 16 March 2007

HI Almeida Pinto

Thanks for the quick response.. Is it possbile to ClonePrincipal on the
Same Domain.. I want to update the SID history on the W2K3 R2 user
account with another user account in the same domain.
regards
venkat

show

amulnick posted this 17 March 2007

Rename the users?

show

bdesmond posted this 17 March 2007

Seems to me your MIIS provisioning process is fundamentally broken. Research join rules and see how to modify the existing accounts.
Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

show

venkatbabu posted this 17 March 2007

HI Brain

Thanks for your reply.. Basically, i already have users created in AD
W2K3 R2 using the naming convention of first five letters from the surname.
Now i am implementing the MIIS to provision the user from Oracle HRMS as
User ID will become by Employee Number.

In this scenario, I want to let the Users ID (Employee Number) created
by MIIS into W2K3 R2 and Clone the user principle for those corresponding
individual user ID ( Surname as ID) to migrate smoothly . I will be happy
if you suggest any another menthod to perform the same operation.

Thanks in Advance
venkat

show

ZJORZ posted this 17 March 2007

Clone the user principle for those corresponding individual user ID ( Surname as ID) to migrate smoothly

you want to change from user ID1 to user ID2 for your users. I understand that. However, what is the sidhistory thing for? It must be permissions. User accounts basically do not have permissions assigned to them directly, but rather through groups. The only thing I can think of is the homedirectory.
You still have not explained why the SID of the old user is needed. That is the information we need to be able to answer accordingly

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU ISA Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :

show

GuidoG posted this 18 March 2007

v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}









I’d say you should have received sufficient suggestions by
now… 

But maybe this makes it a bit clearer

·
Don’t create new users just to implement synchronization between
two directories

o Security
will be your smallest issue here – all other things (like user profiles)
are bound to the main SID of the user (SIDhistory won’t help here) so you’d
just create chaos

o I
suppose you have a reason why you actually want to change the user-ID and can’t
just use another attribute to populate with the payroll-nr and then use that
attribute for synchronization

o Even if
you’d want to use SIDhistory, you can’t do so between two
accounts in the same domain – a SID can only exist once in the
same domain, no matter as main-SID or in SIDhistory (and to populate SIDhistory
you need access to both accounts – so you can’t delete one and then
add that SID to another…)

·
Instead, do this in two projects

o First:
prepare to rename your users in AD according to your new naming convention (Payroll
Number)

§ This needs
plenty of preparation as your users will need to understand this change –
communication to the end-users is key here; benefit is that they’ll keep
the same PW and everything else like group memberships etc.

§ Prepare
the rename by using appropriate data from your HRMS system that you receive in
some useful format (CSV or whatever)

§ The rename
is easily done via scripts or LDIF exports / imports

§ May want
to do this in batches so you can handle the helpdesk workloads

o Second:
prepare your synchronization with MIIS

§ After
you’re done with project 1, you can leverage the renamed accounts to map
to your HRMS database

§ Existing
accounts will be mapped, new ones will be created

Hope this helps.

/Guido

show

venkatbabu posted this 18 March 2007

v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}








Basically, i already have users created in AD W2K3 R2 using the MIIS
(MSSQL 2000 Connectorspace) with the user id as first five
letters from the surname.Now i need to change the user ID from
surname to Employee Number,Using MIIS (HRMS Oracle ConnectorSpace)
will be used to provision the user,
In this scenario,MIIS is going to create
a new users as i will not be able to perform any join option userid is treated
here as Employee Numberrelating with Surname which is alreadymapped
to UID.Even if i try to rename the Account it gets reverted back after the
export run off ADMA. Is there any way to retain the same SID and rename
the account with the Employee Number and define the sync from HRMS Oracle.

Since i am facing problem managing this in
MIIS, I was looking for the option with SIDhistroy. thanks
venkat

show

venkatbabu posted this 18 March 2007

Thanks to everyone for the response

You are right, the permission are assigned on groups but not in all
cases.. There are some areas where permission are assigned to individual
users ofcourse for the home directory. To minimize the migration time and
the smooth change over.. I am looking for the option of adding the SID
History to the newly created account.

regards
Venkat

show

bdesmond posted this 18 March 2007

v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}









This is entirely doable with MIIS. This is getting into the you
need a good consultant territory, but the bottom line is that you can write a
custom join rule for your Oracle MA and life will be good.

Thanks,

Brian Desmond

brian@briandesmond.com

c - 312.731.3132

show

tonyszko posted this 18 March 2007

Venkat Babu wrote:
> Thanks to everyone to the response
>
> Any suggestion, how to proceed with this

Just rename Your connector in AD:
http://blogs.dirteam.com/blogs/tomek/archive/2007/03/18/ad-account-connector-rename-with-miis.aspx

and flow new attributes for samaccountame etc.

We have done this in single day for bank here with several thousands of
users - the scenario was almost the same.

There is no point for new accounts.

--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

show

amulnick posted this 18 March 2007

Right. That's what I can't figure out. Why the new account? What is the purpose of the new account?
Can you explain why it has to be a new account vs. a rename?

Al

show

venkatbabu posted this 18 March 2007

Hi Mulnick



I will be implementing the MIIS Account Provisioning to Active
Directory from HRMS database.. So the user ID will be converted to Payroll
Number.

regards
venkat

show

amulnick posted this 18 March 2007

Babu, that doesn't tell me why you intend to create new accounts (for those that exist) vs. renaming the existing. That tells me your end goal, which I think you mentioned before.

Al

show

listmail posted this 18 March 2007

Hi Babu,

I agree with Al, why does this require a new userid? Why
not rename?

If you have to create a whole new userid and then do
something off on the side to merge them, I agree with Brian that your MIIS
strategy is fundamentally broken.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

show

venkatbabu posted this 18 March 2007

Thanks to everyone to the response

Any suggestion, how to proceed
with this

thanks
Venkat

show

bdesmond posted this 18 March 2007

v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}









Answer the question Joe, Al, and myself have raised – why are
you creating new accounts?

Thanks,

Brian Desmond

brian@briandesmond.com

c - 312.731.3132

show

SmitaCarneiro posted this 4 weeks ago

You can have more than one value in sidHistory, not sure whether ADMT does that or you will need another tool.

 



Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906



 

show

Show More Posts
Close