Powershell SIDHistory Module and Domain Local Groups

By Andrei Ungureanu - Last updated: Tuesday, June 20, 2017 - Save & Share - Leave a Comment

Acum mult timp am scris cate ceva legat de SIDWalker, un tool din Resource Kit-ul de Windows 2003, foarte folositor pe vremuri in diverse scenarii de migrare. Dar tool-ul nu a mai fost updatat de foarte mult timp si inlocuitorul a fost modulul Powershell SIDHistory pe care il gasiti in link-ul de mai jos:


Mi-ar fi greu sa descriu acum tot ce se poate face cu comenzile incluse in acest modul, insa va pot spune ca sunt foarte folositoare atunci cand vreti sa translatati permisiuni pe file system in diverse scenarii de migrare.

Una din comenzile din modul se numeste Export-SIDMappingCustom si permite crearea unui fisier ce va mapa obiecte din domeniul sursa cu obiecte din domeniul target pe baza unui atribut comun (ca exemplu sa zicem samaccountname). Fisierul CSV produs, poate fi folosit mai apot ca sa rulati Convert-SIDHistoryNTFS pe un file sistem si sa faca replace sau add la permisiuni pe baza informatiilor din acel fisier.

Dar daca folositi DomainLocalGroup ca parametru la Export-SIDMappingCustom o sa aveti surpriza sa obtineti doar niste fisiere goale. In caz ca se intampla asa ceva verificati fisierul SIDHistory.psm1 si urmatoarea sectiune:


In caz ca grup type pentru DomainLocalGroup este –2147483643, modificati in –2147483644 ca in imaginea de mai sus.

Mai jos o sa pun si link-urile catre seria originala de articole a lui Ashley McGlone, creatorul acestui modul:

  1. Using PowerShell to resolve Token Size issues caused by SID history
    Prior to starting the module development this post explained the background of token size issues as related to SID history.  I provided the basic SID history query that we use to produce the report and some great links for more information on token size.
  2. Do Over: SID History One-Liner
    As a follow up to the Token Size post I re-wrote the SID history report query as a one-liner.
  3. PowerShell: SID Walker, Texas Ranger (Part 1)
    This time we looked at Get-ACL and parsing SDDL strings, a warm up for the next post.
  4. PowerShell: SID Walker, Texas Ranger (Part 2)
    Next I wrote a function to swap SID history entries in ACLs/ACEs.  This compensates for a gap in the ADMT, because it cannot migrate SID history for file shares hosted on a NAS.
  5. PowerShell: SID Walker, Texas Ranger (Part 3): Exporting Domain SIDs and Trusts
    Looking at raw SIDs in a report is not very friendly, so I wrote a function that translates domain SIDs into domain names.  This makes the SID history report more meaningful when you can see the name of the domain from whence they came.  Enumerating all forest trusts and their domain SIDs required using some .NET ninja skills.
  6. How To Remove SID History With PowerShell
    To round out the functions I provided Get-SIDHistory and Remove-SIDHistory, emphasizing that this is the LAST step in the process.  I leveraged the previous domain SID function to even give us the ability to remove SID history selectively by old domain name.


Posted in Active Directory • Tags: , , Top Of Page

Write a comment