sIDHistory will make your migration to Windows 2000/2003 Active
Directory an easy process.
Last week discussed the advantages of Microsoft Windows "run as"
feature. This week we review the sIDHistory attribute in Active
Directory and how it is used during migrations from Windows NT 4.0 to
To understand the benefits of sIDHistory, you must first understand
SIDs. SID is an acronym for Security Identifier. When a Windows
NT/2000/2003 system creates directory objects, including users,
computers and group accounts, it assigns a unique SID to each. As part
of the authentication process, Windows grants access tokens to users
when they log on. These access tokens contain the SID for a user
account and the SID for all the groups that the user is a member.
When a user attempts to access a network resource, the system checks the
access token against the resource's Discretionary Access Control List
(DACL). The DACL is a list of SIDs that the system has either granted
or denied access to for the specific network resource. For users to
successfully access a network resource, their SID or the SID of the
group they are a member of must appear on the DACL. Since the SIDs are
domain-specific, a SID serves as two separate IDs: a domain ID that is
the same for every object in that domain, and a unique ID that is
specific to that object. If a user account is created for an existing
user in a new domain, a new SID is created and thus all DACLs are
useless because the SID of the user's old account is contained on the
To help you overcome this issue, Windows 2000/2003 security principals
have an additional attribute called sIDHistory. sIDHistory stores an
object's previous SID, so when users log on to a new Windows 2000/2003
Active Directory domain, the sIDHistory attribute appends to their
existing access token and new SID. Additionally, since group objects in
Windows 2000/2003 also include the sIDHistory attribute, both old and
new group SIDs can be appended to the access tokens as well. Therefore,
because the access tokens contain both SIDs, access is unaffected as you
migrate them to the new Windows 2000/2003 Active Directory environment.
To take advantage of this feature you need to use the Microsoft Active
Directory Migration Tool. To find out more about this tool, check out
my earlier article at:
Additionally, you can check out Microsoft's website at:
Join me next week when we begin a discussion on IP Version 6, the next
generation of IP addressing in the enterprise.