Sunday, December 12, 2010

PowerShell Script - Search Active Directory and Generate SIDHistory Report

Updated script – with Multi-value support.

This PowerShell Script can used to search a user object in Active Directory domain and generate a report with their SIDHistory value.


As you can see in the following screenshot, the output file (userinfo.txt) contains the SamAccontName and its SIDHistory value:  


When a User object migrated from one domain to another, a new SID must be generated for the user account and stored in the ObjectSID property.  Before the new value is written to the property, the previous value (ObjectSID from source domain) is copied to another property of a User object, sIDHistory in the Target domain. So you can use the sIDHistory value to search the Source domain using the ObjectSID attributes to identify the corresponding user in the Source domain.  In other words, the sIDHistory value will be  equal to the source ObjectSID. 


Search sIDHistory value of a migrated user using DSQUERY and identify the corresponding ObjectSID in the source domain. 



More Scripts:


instead of the sidhistory, I want to export SID. but cant get it working. can you help me out?

Is there a way I can get the SIDs of all users in active directory and export as csv file?

That is easy. Instead of SIDHistory attribute use ObjectSID

Here is the modified PowerShell Script:

$UserInfoFile = New-Item -type file -force "C:\Scripts\UserInfo.csv"
"SamAccountName`tSID" | Out-File $UserInfoFile -encoding ASCII
$ObjFilter = "(&(objectCategory=User)(ObjectClass=user))"
$objSearch = New-Object System.DirectoryServices.DirectorySearcher
$objSearch.PageSize = 5000
$objSearch.Filter = $ObjFilter
$objSearch.SearchRoot = "LDAP://dc=sivarajan, dc=com"
$AllObj = $objSearch.FindAll()
foreach ($Obj in $AllObj)
$objItemT = $Obj.Properties
$tsam = $objItemT.samaccountname
$tsid = $objItemT.objectsid
write-host $tsam
write-host $tsid
"$tsam`t$tsid" | Out-File $UserInfoFile -encoding ASCII -append


You can use DSQUERY Command also:

dsquery * -filter "(&(objectCategory=User)(ObjectClass=user))" -attr samaccountname objectsid -limit 0 >> output.txt

If a user has more than one SidHystory entry, the script fill fail. Any ideas?

Cannot convert the "System.Byte[]" value of type "System.Byte[]" to type "System.Byte".
At line:16 char:4
+ $objectSID = [byte[]]$objpath1.sidhistory.value
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [], RuntimeException
+ FullyQualifiedErrorId : ConvertToFinalInvalidCastException

I have a different version of the script to support multi value

Post a Comment

Popular Posts


Twitter Delicious Facebook Digg Stumbleupon Favorites More