As you know SID Mapping file can be used perform Security Translation using Active Directory Migration Tool (ADMT). You can create a SID Mapping file from the ADMT database as described in the http://support.microsoft.com/default.aspx?scid=kb;EN-US;835991 article.
But my plan is to use my favorite DSQQUERY command to create this file. When you migrate an object from one domain to another, a new SID will be generated for the account and stored in the ObjectSID property. Before the new value is written to the property, the previous value (ObjectSID from the source domain) is copied to another user attribute, sIDHistory in the Target domain. So you can use the sIDHistory value to search the Source domain using the ObjectSID attributes to identify the corresponding user in the Source domain. In other words, the sIDHistory value in the target domain should be equal to the ObjectSID value in the source domain. You can read more information on my following blogs:
http://portal.sivarajan.com/2010/12/powershell-script-search-active.html
http://portal.sivarajan.com/2011/01/generate-sidhistory-report-using.html
The ADMT Mapping file should contain source and target account information. It can be sAMAccountName or objectSID. Since sIDHistory and ObjectSID are available in the migrated target objects, my plan is to get these information using the following DSQUERY command:
dsquery * -filter "(&(objectCategory=Person)(objectClass=User)(sIDHistory=*))" -attr sIDHistory ObjectSID
You can redirect the output to a txt or CSV file. ADMT uses a comma separated value file. So update the output file in the correct format. You can use sAMAccountName instead of ObjetSID. If you are using sAMAccountName make sure to use it in domain\sAMAccountName format. The SID Mapping file should look like this:
OR
As I mentioned, you can get the sIDHistory and ObejctSID information from the target domain. But if you want to use the source sAMAccountName you need to run the query in the source domain.
Other Related Articles:
Active Directory Migration Using ADMT - http://www.sivarajan.com/admt.html
Computer Migration - Things to Consider - http://www.sivarajan.com/cm.html
User Account Migration and Merging Using ADMT - http://www.sivarajan.com/
7 comments:
Thanks Sivarajan. The sidmapping.txt file, should just have the Sid,Sidhistory? Does it need to also have something else in the every line?
I am planning to perform a security translation for some servers. The ADMT migration was done 2 years back. Now we do not have the ADMT machine with us (nor its backup). I am tasked with performing Security translation. please help.
Thanks
Venkat
As I mentioned in the blog you can use the SID or SID and sAMAccountName. Do you have sIDHistory in the target object? If so, you can use DSQEURY command to generate this report.
This was extremely helpful - Thanks!
Thanks for the feedback Brad!
Hey Santhosh, great blog! Have you ever got this feature (SID Mapping File) with admt 3.2 running in a member server? I need to run admt 3.2 command line out of Domain Controller and migrate SID History... in the admt 3.2 manual says that this isn't possible for command line... do you know if in old versions of admt this was possible? Any reference? Thanks a lot!
You can use any version of ADMT. What issues are you seeing?
Great Article
IEEE Projects on Information Security
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
Post a Comment