How do I move an object in AD without losing the objects SID?
search cancel

How do I move an object in AD without losing the objects SID?


Article ID: 53929


Updated On:


CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting


You can move accounts between OU's using roles, but this method deletes and recreates the account, removing and replacing the SID of the object.


Component: ETRADM


You can use the LDAP ldapmodrdn.exe that comes with admin to move an account to a different OU while retaining the original SID.

The ldapmodrdn.exe included under %ETAHOME%\Bin is special and includes the -s parameter to allow for moving of an object without destroying the account SID. The usage is as follows:

Rename LDAP entries

usage: ldapmodrdn [options] [dn rdn]
        dn rdn: If given, rdn will replace the RDN of the entry specified by DN
                If not given, the list of modifications is read from stdin or
                from the file specified by "-f file" (see man page).
Rename options:
   -c continuous operation mode (do not stop on errors)
   -f file read operations from 'file'
   -r remove old RDN
   -s newsup new superior entry

Common options:
   -d level set LDAP debugging level to 'level'
   -D binddn bind DN
   -f file read operations from 'file'
   -h host LDAP server
   -H URI LDAP Uniform Resource Indentifier(s)
   -M enable Manage DSA IT control (-MM to make critical)
   -n show what would be done but don't actually update
   -p port port on LDAP server
   -P version procotol version (default: 3)
   -v run in verbose mode (diagnostics to standard output)
   -w passwd bind passwd (for simple authentication)
   -W prompt for bind passwd
   -x Simple authentication
   -Z Start TLS request (-ZZ to require successful response)

Here is an example using a batch to run the ldapmodrdn.exe:

set HOST=<Provisioning_Server_Machine>
set PORT=20389
set DOMAIN=<Provisioning_Server_Domain>

set BINDDN="eTGlobalUserName=<AdminUser>,eTGlobalUserContainerName=Global Users,
set PWD=<AdminUser_Password>

set NEWSUPDN="eTADSOrgUnitName=Disabled Users,eTADSOrgUnitName=Example,

set OBJECTDN="eTADSAccountName=<Username>,eTADSOrgUnitName=Standard Users,

set RDN="eTADSAccountName=<Username>"

"%ETAHOME%\Bin\ldapmodrdn.exe" -h %HOST% -p %PORT% -D %BINDDN% -w %PWD%