10

I have two AD groups which were erroneously created while there should instead have been only one group; they contain the exact same users. However, these groups have been assigned various permissions on variuos resources (like file shares), and I'm unable to track all of them and reset them to only refer to one group.

Can I "merge" the two groups if I delete one of them and put its SID in the SID history of the other one? Will this allow the members of the remaining group to access those resources for which permissions have been granted to the deleted one?

Update:

Looks like there is no easy way to add a SID to the SID history of an user or group; at least, both ADUC and ADSIEdit are unable to do this. If the above described trick works, how can this be actually accomplished?

Massimo
  • 72,827

1 Answers1

4

You can't modify the SIDHistory attribute as it's a protected attribute.

One of the only supported methods of doing so is using the AD Migration Tool. There are some Powershell/scripts but they all would require that the groups reside in different domains/forests.

The only way you would be able to accomplish this is as TheCleaner specified. You would make the group that you want to use moving forward (group 1) a member of the "legacy" group (group 2) so that all members of group 1 are members of group 2. You would then remove the users from group 2 and just add new users to group 1.

HostBits
  • 11,945