How do I add SID History to user accounts already created in Windows 2000? (NETIQKB1096)

  • 7701096
  • 02-Feb-2007
  • 10-Oct-2007


How do I add SID History to user accounts already created in Windows 2000?

DMA can append SID History to accounts already created in Windows 2000 Active Directory. The key to accomplish this is that the SAM account name in the NT 4.0 domain must be identical to the User logon name (pre-Windows 2000) attribute in the target domain. This is how it works.

Any NT 4.0 source domain attribute of the user account that is a non-null value will overwrite the Windows 2000 target account's attribute in Active Directory during migration. This pre-task trigger must be employed so that DMA writes the target domain Windows 2000 attributes to a file. Then after the source domain NT4 SID has been appended as SID history along with the attributes from the source domain, the post-task trigger will read and write the original attributes back to the Windows 2000 target domain accounts.

The following is an example of pre & post process scripts.  Together, these scripts will save the original CN & displayname to a file, then after the migration happens any overwritten attributes, will be re-written with the original CN & displayname. This is only an example. Scripting is not supported through Tech Support but is offered through NetIQ Custom Solutions via your Sales Representative.

Pre-Process Script

Sub PreProcess
    Dim con
    Dim rs
    Dim Com
    Dim strName

' Reset the varset entries
settings.put "GotOldValues", "No"
settings.put "OldCN", ""
settings.put "OldDisplayName", "" 

' Setup an ADO query on the AD to get the values from the target object.
Set con = CreateObject("ADODB.Connection")
Set rs = CreateObject("ADODB.Recordset")
Set Com = CreateObject("ADODB.Command") 

'Open a Connection object.
con.Provider = "ADsDSOObject"
con.Open "Active Directory Provider" 

'Create a command object on this connection.
Set Com.ActiveConnection = con
'Set the query string.
strName = Settings.get("CopiedAccount.SourceSam")
Com.CommandText = "<LDAP://" & Settings.get("Options.TargetDomain") & ">;(samAccountName=" & strName & ");ADsPath,sAMAccountName,cn,displayName"

'Set the preferences for Search.
Com.Properties("Page Size") = 1000
Com.Properties("Timeout") = 30 'seconds
'Execute the query.
Set rs = Com.Execute
' save the display name and CN for later
If rs.RecordCount = 1 Then
settings.put "OldCN", rs.Fields(2).Value
settings.put "OldDisplayName", rs.Fields(3).Value
settings.put "GotOldValues", "Yes"
End If
End Sub

Post-Process Script

Sub Process
Dim parentOU
Dim pTemp
Dim done
' Check if we were successful in getting the values
done = Settings.get("GotOldValues")
if ( done = "No" ) then
'Did not get the values so exiting
Exit Sub
end if

' retrieve the values we saved earlier
oldCN = Settings.get("OldCN")
oldDispName = Settings.get("OldDisplayName")
' reset the display name to the old value

TargetObject.Put "DisplayName",oldDispName
' reset the cn to the old value
Set parentOU = GetObject(TargetObject.Parent)
path = TargetObject.ADsPath
Set pTemp= parentOU.MoveHere(path, &.
quot;CN=" & oldCN)

'Update the varset with the proper values
Settings.put "CopiedAccount.TargetName", pTemp.Name
Settings.put "CopiedAccount.TargetPath", pTemp.ADsPath
End Sub


Additional Information

Formerly known as NETIQKB1096