Resolution
How do I add SID History to user accounts already created in Windows 2000?
fix
DMA can append SID History to accounts already created in Windows 2000 Active Directory. The key to accomplish this is that the SAM account name in the NT 4.0 domain must be identical to the User logon name (pre-Windows 2000) attribute in the target domain. This is how it works.
Any NT 4.0 source domain attribute of the user account that is a non-null value will overwrite the Windows 2000 target account's attribute in Active Directory during migration. This pre-task trigger must be employed so that DMA writes the target domain Windows 2000 attributes to a file. Then after the source domain NT4 SID has been appended as SID history along with the attributes from the source domain, the post-task trigger will read and write the original attributes back to the Windows 2000 target domain accounts.
The following is an example of pre & post process scripts. Together, these scripts will save the original CN & displayname to a file, then after the migration happens any overwritten attributes, will be re-written with the original CN & displayname. This is only an example. Scripting is not supported through Tech Support but is offered through NetIQ Custom Solutions via your Sales Representative.
Pre-Process Script
Sub PreProcess
Dim con
Dim rs
Dim Com
Dim strName
' Reset the varset entries
settings.put "GotOldValues", "No"
settings.put "OldCN", ""
settings.put "OldDisplayName", ""
' Setup an ADO query on the AD to get the values from the target object.
Set con = CreateObject("ADODB.Connection")
Set rs = CreateObject("ADODB.Recordset")
Set Com = CreateObject("ADODB.Command")
'Open a Connection object.
con.Provider = "ADsDSOObject"
con.Open "Active Directory Provider"
'Create a command object on this connection.
Set Com.ActiveConnection = con
'Set the query string.
strName = Settings.get("CopiedAccount.SourceSam")
Com.CommandText = "<LDAP://" & Settings.get("Options.TargetDomain") & ">;(samAccountName=" & strName & ");ADsPath,sAMAccountName,cn,displayName"
'Set the preferences for Search.
Com.Properties("Page Size") = 1000
Com.Properties("Timeout") = 30 'seconds
'Execute the query.
Set rs = Com.Execute
' save the display name and CN for later
If rs.RecordCount = 1 Then
settings.put "OldCN", rs.Fields(2).Value
settings.put "OldDisplayName", rs.Fields(3).Value
settings.put "GotOldValues", "Yes"
End If
End Sub
Post-Process Script
Sub Process
Dim parentOU
Dim pTemp
Dim done
' Check if we were successful in getting the values
done = Settings.get("GotOldValues")
if ( done = "No" ) then
'Did not get the values so exiting
Exit Sub
end if
' retrieve the values we saved earlier
oldCN = Settings.get("OldCN")
oldDispName = Settings.get("OldDisplayName")
' reset the display name to the old value
TargetObject.Put "DisplayName",oldDispName
targetObject.SetInfo
' reset the cn to the old value
Set parentOU = GetObject(TargetObject.Parent)
path = TargetObject.ADsPath
Set pTemp= parentOU.MoveHere(path, &.
quot;CN=" & oldCN)
'Update the varset with the proper values
Settings.put "CopiedAccount.TargetName", pTemp.Name
Settings.put "CopiedAccount.TargetPath", pTemp.ADsPath
End Sub