Working with AD: Search by SIDHistory attribute
I bring to your attention my method of working with the Active Directory attribute sIDHistory. Namely, we will search for an object by this attribute.
But first, let's talk about the attribute itself. SIDHistory is used to create the correspondence of objects in Active Directory, it is necessary, for example, when migrating accounts and groups from one domain / forest to another.
What does this give us? And it gives us the opportunity not to reassign the rights to resources, but to leave them “as is”.
Example: in A.local domain there is a group A-G1, it includes user A-U1.
We have a file share \\ server01 \ share to which access is assigned to group A-G1
')
It so happened that we migrated to the B.local domain, created the user B-U1 there and assigned him the sIDHistory attribute from user A \ A-U1
Now user B \ B-U1 without any additional actions can log in to \\ server01 \ share
Suppose we have 5000 users who have migrated, some of them could have been completely renamed, and sIDHistory looks like a bunch of incomprehensible numbers for the administrator. Finding which user in Domain A matches a user from Domain B is simply impossible.
Powershell script, using QUESTov cmdlets, which will display all objects to the specified attribute.
Conditions for the script:
At the entrance, you can submit and CSV and upload from groups:
But first, let's talk about the attribute itself. SIDHistory is used to create the correspondence of objects in Active Directory, it is necessary, for example, when migrating accounts and groups from one domain / forest to another.
What does this give us? And it gives us the opportunity not to reassign the rights to resources, but to leave them “as is”.
Example: in A.local domain there is a group A-G1, it includes user A-U1.
We have a file share \\ server01 \ share to which access is assigned to group A-G1
')
It so happened that we migrated to the B.local domain, created the user B-U1 there and assigned him the sIDHistory attribute from user A \ A-U1
Now user B \ B-U1 without any additional actions can log in to \\ server01 \ share
Suppose we have 5000 users who have migrated, some of them could have been completely renamed, and sIDHistory looks like a bunch of incomprehensible numbers for the administrator. Finding which user in Domain A matches a user from Domain B is simply impossible.
Powershell script, using QUESTov cmdlets, which will display all objects to the specified attribute.
# , sIDHistory $user="B-U1" # AD $obj=(Get-qADObject -Identity $user -service "B.local" -includedproperties sIDHistory | select name,dn,sIDHistory) # LDAP $ldap="LDAP://{0}" -f $obj.dn # .NET, SID $indents=([ADSI]$ldap).getex(“sidhistory”) | % { (new-object System.Security.Principal.SecurityIdentifier $_ ,0).value } # sIDHistory , foreach ($indent in $indents) { get-qadobject -identity $indent -service "A.local" } Conditions for the script:
- We know the user's domain exactly
At the entrance, you can submit and CSV and upload from groups:
users.txt:
name
B-u1
import-csv -delimiter "`t" -path "users.txt" | % { # , sIDHistory $user=$_.name # AD $obj=(Get-qADObject -Identity $user -service "B.local" -includedproperties sIDHistory | select name,dn,sIDHistory) # LDAP $ldap="LDAP://{0}" -f $obj.dn # .NET, SID $indents=([ADSI]$ldap).getex(“sidhistory”) | % { (new-object System.Security.Principal.SecurityIdentifier $_ ,0).value } # sIDHistory , foreach ($indent in $indents) { get-qadobject -identity $indent -service "A.local" } } Source: https://habr.com/ru/post/122753/
All Articles