How to remove sIDHistory from AD objects using Powershell
SID History is an Active Directory (AD) user account object attribute that simplifies the authorization process during the migration of Windows domains. This attribute is available under Windows Server 2003 and Windows 2000 environments.
Once the domain migration is complete it is advisable to clear the sIDHistory from user or group accounts to avoid possible token size issues.
This guide will help you to remove sIDHistory from AD objects using Powershell.
How to remove sIDHistory from a single AD user
Run Powershell in elevated mode (Run as a different user) For this purpose please use your Domain Administrator credentials.
type the following command:
Get-ADUser USERNAME -properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}
Replace the USERNAME attribute with the username of the desired user account.
If you receive “Set-ADUser: Insufficient access rights to perform the operation” error message, this means you don’t have the required permissions to delete sIDHistory from user accounts. If you don’t receive any error messages this means that the command was completed successfully.
You can check if the sIDHistory was deleted by refreshing the container in which the user account is located.
Before: (part of the sIDHistory was removed due to security purposes)
After:
How to remove sIDHistory from Active Directory group
Run Powershell in elevated mode (Run as a different user) For this purpose please use your Domain Administrator credentials.
type the following command:
Get-ADGroup GROUPNAME -properties sidhistory | foreach {Set-ADGroup $_ -remove @{sidhistory=$_.sidhistory.value}}
Replace the GROUPNAME attribute with the Active Directory group name.
If you receive the “Set-ADGroup : Cannot validate argument on parameter ‘Remove’. The argument is null or an element of the argument collection contains a null value.” error message, this means that sIDHistory has not been set for this AD group:
How to remove sIDHistory for all users in Active Directory Organizational Unit
Run Powershell in elevated mode (Run as a different user) For this purpose please use your Domain Administrator credentials.
type the following command:
Get-ADUser -SearchBase “OU=Accounts,DC=mydomain,DC=com” -Filter {sidhistory -like '*'} -properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}
Replace the -SearchBase parameter with distinguishedName of the Organizational Unit and hit Enter.
After you have performed SSID cleanup you might want to check if there’s still AD accounts with the sIDhistory value. To do this the following PowerShell command can be used:
Get-aduser -filter * -properties sidhistory | Where sidhistory<(/code>
Hope this guide will help you to remove sIDHistory from AD objects. Comments are welcome.