How do I move an object in AD without losing the objects SID?
search cancel

How do I move an object in AD without losing the objects SID?

book

Article ID: 53929

calendar_today

Updated On:

Products

CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

You can move accounts between OU's using roles, but this method deletes and recreates the account, removing and replacing the SID of the object.

Environment

Release:
Component: ETRADM

Resolution

You can use the LDAP ldapmodrdn.exe that comes with admin to move an account to a different OU while retaining the original SID.

The ldapmodrdn.exe included under %ETAHOME%\Bin is special and includes the -s parameter to allow for moving of an object without destroying the account SID. The usage is as follows:

Rename LDAP entries

usage: ldapmodrdn [options] [dn rdn]
        dn rdn: If given, rdn will replace the RDN of the entry specified by DN
                If not given, the list of modifications is read from stdin or
                from the file specified by "-f file" (see man page).
Rename options:
   -c continuous operation mode (do not stop on errors)
   -f file read operations from 'file'
   -r remove old RDN
   -s newsup new superior entry

Common options:
   -d level set LDAP debugging level to 'level'
   -D binddn bind DN
   -f file read operations from 'file'
   -h host LDAP server
   -H URI LDAP Uniform Resource Indentifier(s)
   -M enable Manage DSA IT control (-MM to make critical)
   -n show what would be done but don't actually update
   -p port port on LDAP server
   -P version procotol version (default: 3)
   -v run in verbose mode (diagnostics to standard output)
   -w passwd bind passwd (for simple authentication)
   -W prompt for bind passwd
   -x Simple authentication
   -Z Start TLS request (-ZZ to require successful response)

Here is an example using a batch to run the ldapmodrdn.exe:

set HOST=<Provisioning_Server_Machine>
set PORT=20389
set DOMAIN=<Provisioning_Server_Domain>

set BINDDN="eTGlobalUserName=<AdminUser>,eTGlobalUserContainerName=Global Users,
eTNamespaceName=CommonObjects,dc=%DOMAIN%,dc=eta"
set PWD=<AdminUser_Password>

set NEWSUPDN="eTADSOrgUnitName=Disabled Users,eTADSOrgUnitName=Example,
eTADSDirectoryName=MyAD,eTNamespaceName=ActiveDirectory,dc=%DOMAIN%,dc=eta"

set OBJECTDN="eTADSAccountName=<Username>,eTADSOrgUnitName=Standard Users,
eTADSOrgUnitName=Example,eTADSDirectoryName=MyAD,
eTNamespaceName=ActiveDirectory,dc=%DOMAIN%,dc=eta"

set RDN="eTADSAccountName=<Username>"

"%ETAHOME%\Bin\ldapmodrdn.exe" -h %HOST% -p %PORT% -D %BINDDN% -w %PWD%
-s %NEWSUPDN% %OBJECTDN% %RDN%

Powered by Wolken Software