How can I add permissions to sidHistory attribute?

Mountain Pond 1,181 Reputation points
2022-08-18T21:09:19.117+00:00

Hi,

I`m trying to add permissions for sidHistory attribute. I need to allow modification for domain administrator. 

#Get SID of administrator account  
$s = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser 'administrator').SID  
  
#Get target user  
$GroupObject = Get-ADUser u1  
# Get permissions  
$ACL = Get-ACL AD:$GroupObject  
  
#Create security object. This is SID of sidHistory attribute  
# 17eb4278-d167-11d0-b002-0000f80367c1  
# https://learn.microsoft.com/en-us/windows/win32/adschema/a-sidhistory  
  
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(  
    $s.AccountDomainSid,  
    [System.DirectoryServices.ActiveDirectoryRights]::GenericAll,  
    [System.Security.AccessControl.AccessControlType]::Allow,  
    "17eb4278-d167-11d0-b002-0000f80367c1",  
    [DirectoryServices.ActiveDirectorySecurityInheritance]::All  
)  
#Adding permissions  
$ACL.AddAccessRule($ACE)  
# Set permissions  
Set-ACL -Path AD:$GroupObject -AclObject $ACL

But I keep getting access error.
232606-applicationframehost-jzlxithvlw.png

I also tried to add sid to this attribute using the system account. I thought someone else should have access. But she also has no privileges.
How ADMT changes this attribute??? Who has access to it :) And how can I get it?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,171 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,729 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,381 questions
0 comments
Accepted answer
  1. Gary Reynolds 9,391 Reputation points
    2022-08-18T22:48:53.923+00:00

    Hi @

    The sidHistory attribute is a system control attribute, changing the permissions on the attribute will not grant you rights to add new SIDs, you will only be able to remove existing SIDs. You can only add new SIDs using the DsAddSidHistory function, this function has a number of prerequisites that must be met for the function to be successful.

    The details of the prerequisites can be found here - https://learn.microsoft.com/en-us/windows/win32/ad/using-dsaddsidhistory

    You could also use the SID History bulk option in NetTools, which will validate that all the prerequisites are in place and manage sidHistory values - https://nettools.net/sid-history-bulk/

    Gary.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest