sid's and sid history

Discussion in 'Active Directory' started by Kevin Gallagher, Jun 16, 2009.

  1. I have recently had a problem with our Sharepoint Service after our content
    database was disconnected and then re-connected. We encountered problems
    logging on untill we re-imported the user profile. Our sharepoint developers
    tried to blame the situation on all the user object sid's in AD being
    changed, which I don't believe. I am a newbie and so I would like to ask
    under what circumstances does user object sid's change. I read the Technet
    article SID vs GUID. This article tells me that SID's will only change if the
    object moves domain. Can an expert tell conclusively how or when SID's change
    please. I can't belive that AD would change all user object sid's enmasse.
     
    Kevin Gallagher, Jun 16, 2009
    #1
    1. Advertisements

  2. AD doesn't change SID's, even in the event of a migration which it then
    points to a new account migrated from another domain but they are never
    changed once they are created.
     
    Paul Bergson [MVP-DS], Jun 16, 2009
    #2
    1. Advertisements

  3. when an object is created in AD it gets a unique GUID for the AD forest. If
    that object is a security principal (user, group, computer) it will also get
    a SID which is scoped to a certain AD domain.

    If you move a security principal between AD domains in the same AD forest
    the GUID will NOT change, but the SID will change (remember, the GUID is
    scoped for the AD forest and the SID is scoped for the AD domain)
    If you move a security principal between OUs in an AD domain the GUID will
    NOT change and the SID will NOT change
    If you delete a security principal and recreate it with the same name, it
    will get a new GUID and a new SID
    AD itself will never change the GUID or the SID of an object.

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------

    __________ Information from ESET Smart Security, version of virus signature database 4160 (20090616) __________

    The message was checked by ESET Smart Security.

    http://www.eset.com
     
    Jorge de Almeida Pinto [MVP - DS], Jun 16, 2009
    #3
  4. Thanks to Jorge and Paul for clearing this up. The technet article SID vs
    GUID was insghtfull but it is always usefull to get clarification. My
    knowledge about SID's was enough to explain that there wasn't a SID issue but
    you know what DEV guys are like they alwas hate to be told by OPS that they
    are wrong.

    Once again thanks to everyone who replied. This community really is one of
    the best I have used.
     
    Kevin Gallagher, Jun 17, 2009
    #4
  5. Nice details Jorge.



    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson [MVP-DS], Jun 17, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.