re : Poor Migration Cleanup. Need help with SID History

Hi, 

I have inherited a domain that has a lot of accounts with prior SID History with them. 

But the domain they refer to no longer exists. 

I would like to remove the SID History values, but I don't know if they are still needed for any resources that may have been migrated around that time. 

For example - 

Say I had two domains named target and source. 

Toms account gets migrated from Source to Target. 

Then, someone migrates a folder from Source to Target, keeping the same permissions.

Will Tom still have access to the folder using his SID History value? 

Or will the folder have to be re-permissioned to use his New SID? 

The source domain no longer exists, so I guess the SID history is no longer needed to access anything there.  

However, I am worried that if I delete the SIDHISTORY values, it could prevent the accounts from accessing any resources that may have been migrated from the source to the target domain, 

Please help. 

  • If the folder was never re-permissioned (re-ACL'd) with security principals from the target domain (be they groups Tom is a member of or Tom's own account), then Tom will very much rely on SIDHistory to access the folder.

    Until you can be sure that all resources now have access granted using "target" users and groups, you cannot cleanup the SIDHistory without the risk of breaking access.


  • Hi Johnny,  

    The situation I am in is this.  

    I have around 250 accounts and about 445 groups with SID history values.  

    I don't know what objects may have been migrated from the source domain to the target domain. 

    The source domain was removed around 2008. 

    I am worried that if I remove the SIDHISTORY values and there are objects that have not been re-acl'd it could break something.  

    Some of the groups that have the sid history values prsenent include, Domain Admins, Domain Users and other security groups. 

    Thanks