How do I verify an account has SID history?
Domain Migration Administrator 7.x
SID history is an attribute of a user or group that is available in a native mode Windows Active Directory domain. When using Domain Migration Administrator (DMA) to migrate SID history, this attribute can be populated with the SID of the source object.
Below are a few methods for determining if an account has the SID history attribute populated:
1. Run the Sid History report in DMA
- Expand 'Global Reporting'.
- Expand 'Domain Status'.
- Right-click the Sid History report.
- Select Generate this report.
2. Use the ADSI Edit tool, one of the Windows 2000 Support Tools that can be installed from a Windows 2000 CD.
- Open ADSI Edit.
- Expand the domain.
- Locate and expand the container with the user and/or group.
- Right-click a userorgroup.
- Select Properties.
- View the sIDHistory property.
If the value is populated, then that object has SID History. If the value is 'not set', then the SID History attribute is not populated.
3. Perform a test using an actual migrated user account to determine access with and without SID history:
- Log in to a computer using the migrated user account,verify that it can access resources that are still located in the source domain and log off.
- Run the 'Remove SID History' wizard within DMA and specify the user account (or specify a group if groups are used for permissions to access the resource).
- Log back in to the first computer using the migrated user account and try to access the resource again. If an access is denied message is received, then that means that previous access was allowed due to the SID history attribute, and once the value was removed from SID history, then access was no longer allowed.
- To restore SID history to the user or group from which it was removed, migrate the user or group again, selecting to migrate account SID, and using Replace and Update mode.