Skip to content
/ SIDCloner Public

Demonstrates how to populate SID History on security principals migrated cross AD forest from PowerShell session

License

GPL-3.0 license
12 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

GreyCorbel/SIDCloner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits

Help

Help

 
 

src

src

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

inputFile.csv

inputFile.csv

 
 

Repository files navigation

SIDCloner

Module demonstrates how to populate SID History on security principals migrated cross AD forest via standard Windows API DsAddSidHistory

Overview

Module is available on PowerShell Gallery. As the code is developed in C++, installation of Visual C++ Redistributable is required for its use (C++/CLI projects cannot be compiled to statically link with C++ runtime). Module is available for amd64 platform only - I did not see any strong need for other HW platofrms. Let me know if you need it for different platform.

We routinely use this library in our migration projects as it can be easily integrated into PowerShell migration scripts and other toolset we develop and deliver to customers as a part of migration projects.

Samples

PowerShell sample below demostrates how easy it is to clone SID on many principals. Format of input file is showcased in inputFile.csv in this repo.

Note: Command is optimized for passing of source and target proncipal via pipeline: Necessary initializations and cleanup are performed in begin/end blocks only once.

Import-Module SidCloner
$sourceCred=Get-Credential
$targetCred=Get-Credential

Import-Csv .\inputFile.csv | Copy-Sid -SourceDomain domain1.com -TargetDomain domain2.com -SourceCredential $sourceCred -TargetCredential $targetCred

Assembly can also be used directly - provides static and instance methods for SID cloning.

Typical errors

When troubleshooting, always check if all prerequisites specified in Using DsAddSidHistory article are fulfilled.
Typical errors you may bump into and solutions are listed below.

Inappropriate authentication

This error may occur when you pass credentials for source and target forest as <NetBIOSDomainName>\<userSamAccountName>.
Use userPrincipalName format of user name in credential to avoid it.

Auditing must be enabled in source domain

This error occurs when auditing is not properly configured. Typical case is configuration of Account Management in classic audit of GPO: Computer policy - Security settings - Local policies - Audit policy, but not in Computer policy - Security settings - Advanced Audit policy configuration.
Make sure that Success and Failure audit is enabled in both places

About

Demonstrates how to populate SID History on security principals migrated cross AD forest from PowerShell session

Topics

forest migration sidhistory

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

12 stars

Watchers

4 watching

Forks

6 forks
Report repository

Releases 2

v2.0 Latest
Dec 22, 2020
+ 1 release

Packages

No packages published

Languages