Resolution
How would I confirm that SID History was migrated if I have the Windows 2000 Support Tools installed?
fix
The following is one way to see if SID history has been migrated using the Active Directory Administration Tool included with the Windows 2000 Support Tools.
Follow these instructions after installing the Windows 2000 Support Tools found on the Windows 2000 Server CD:
- Launch the application by going to Start > Windows 2000 Support Tools > Tools > Active Directory Administration Tools.
- Once the "ldp" tool is launched, click on 'Connection' then click on 'Connect'.
- Select a DC to connect to and use port 3268 (this is the LDAP port for the Global Catalog).
- Click 'Connection' again and then 'Bind'.
- Type in an Administrator Username, Password and Domain name. Make sure the Domain checkbox is checked. Click OK
- Next click 'View' and select 'Tree'. Leave the entries blank and click OK.
You should now have a Tree View in the left pane. Select the OU where the User resides and click on the User. You will now be able to see the Object SID property as well as the SID History property (if the user was migrated with SID history). The following is an example what will appear.
4> objectClass: top; person; organizationalPerson; user;
1> objectGUID: 276f4195-0fdd-4ec4-a1e9-063b84a5aa55;
1> objectSid: S-15-3115E3FC-6BC5C62-323E04BE-4B0;
1> primaryGroupID: 513;
1> name: User1;
1> sAMAccountName: User1;
1> sAMAccountType: 805306368;
1> sIDHistory: S-15-7CEE27F9-2C670F50-5251062E-49A;
1> userAccountControl: 66048;
1> userPrincipalName: User1@W2KDomain.local;
1> uSNChanged: 5094;
1> uSNCreated: 5080;
If a user has access to a share or file through a group, that group needs to be migrated with the user in order for the group SID history to be attached to the user's access token.
Please contact Technical Support to create a Support Request for any issues you encounter that are not addressed by the User Guide, any Knowledge Base articles found on the website, or current Hotfixes available for download.