sIDHistory and Active Directory migrations

sIDHistory will make your migration to Windows 2000/2003 Active

Directory an easy process.

Last week discussed the advantages of Microsoft Windows "run as"

feature. This week we review the sIDHistory attribute in Active

Directory and how it is used during migrations from Windows NT 4.0 to

Active Directory.

To understand the benefits of sIDHistory, you must first understand

SIDs. SID is an acronym for Security Identifier. When a Windows

NT/2000/2003 system creates directory objects, including users,

computers and group accounts, it assigns a unique SID to each. As part

of the authentication process, Windows grants access tokens to users

when they log on. These access tokens contain the SID for a user

account and the SID for all the groups that the user is a member.

When a user attempts to access a network resource, the system checks the

access token against the resource's Discretionary Access Control List

(DACL). The DACL is a list of SIDs that the system has either granted

or denied access to for the specific network resource. For users to

successfully access a network resource, their SID or the SID of the

group they are a member of must appear on the DACL. Since the SIDs are

domain-specific, a SID serves as two separate IDs: a domain ID that is

the same for every object in that domain, and a unique ID that is

specific to that object. If a user account is created for an existing

user in a new domain, a new SID is created and thus all DACLs are

useless because the SID of the user's old account is contained on the


To help you overcome this issue, Windows 2000/2003 security principals

have an additional attribute called sIDHistory. sIDHistory stores an

object's previous SID, so when users log on to a new Windows 2000/2003

Active Directory domain, the sIDHistory attribute appends to their

existing access token and new SID. Additionally, since group objects in

Windows 2000/2003 also include the sIDHistory attribute, both old and

new group SIDs can be appended to the access tokens as well. Therefore,

because the access tokens contain both SIDs, access is unaffected as you

migrate them to the new Windows 2000/2003 Active Directory environment.

To take advantage of this feature you need to use the Microsoft Active

Directory Migration Tool. To find out more about this tool, check out

my earlier article at:

Additionally, you can check out Microsoft's website at:

Join me next week when we begin a discussion on IP Version 6, the next

generation of IP addressing in the enterprise.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies