Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Vice Admiral
Vice Admiral
3678 views

Writing to AD sidhistory

Jump to solution

Is it possible to write to AD sIDHistory attribute? Does not seem to work with standard AD driver + domain admin access. I get error message:

00000005: SecErr: DSID-031A11D7, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
Labels (1)
0 Likes
1 Solution

Accepted Solutions
Knowledge Partner Knowledge Partner
Knowledge Partner
You could start with reading this.
Its a bit more than just powershell apparently

https://migration-blog.com/2014/03/30/how-to-write-or-migrate-sidhistory-with-powershell-3/

View solution in original post

0 Likes
9 Replies
Vice Admiral
Vice Admiral
Looks like a protected attribute requiring a scripting driver that uses an unsafe flag or something equivalent. But hopefully someone with experience in doing this could say a word.

I saw Geoff mentioning this sometime earlier. Can you comment if you are around?
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner
I tried this a long time ago and its not possible to write that attribute.
What we did was to write it out to a csv file and have a powershell script do it.

Today you could do it with the scripting driver or powershell directly from the AD driver.

0 Likes
Vice Admiral
Vice Admiral
Thanks for answer. Do you remember the powershell command to do it?
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner
Sorry no.
I didnt write that script, we had a ms consultant at hand so he did that bit.
I don't think its that complicated though and there must be a few howtos around if you do a google search.

Best luck
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner
You could start with reading this.
Its a bit more than just powershell apparently

https://migration-blog.com/2014/03/30/how-to-write-or-migrate-sidhistory-with-powershell-3/

View solution in original post

0 Likes
Vice Admiral
Vice Admiral
Thanks.
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
0 Likes
Vice Admiral
Vice Admiral
sidHistory is a hugely sensitive attribute since it could be abused to enable access that you shouldn't have. So it is not exposed for writing by ldap

Years ago I wrote an actixex com object which I called through a Java class and bolted that into a driver. I wrote the dll in VB6 (that dates iit right there).if I remember right it took a sequence of three MFC calls. It worked for that particular client I was dealing was who was migrating to new ad domains but alas, that was a long long time ago in a laptop far far away.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

We had a driver that called a Java function that called a VB Script to do the work.  It is not a simple attribute.

If you think about it, if you went and wrote sidHistory to your account in thi Domain, with the SID of another domain and the RID of 500 I think, then you would be admin in that domain from this account.  So needs to be protected.

0 Likes
Vice Admiral
Vice Admiral
I thought the same as well. It is a multivalue octet string attribute I believe?
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.