question

ADAdmin-4361 avatar image
ADAdmin-4361 asked ·

Does the ObjectGUID of an AD security group ever change? Can it be changed?

Let's say I am using ADMT to migrate user and group objects from Domain A to Domain B.

Let's assume there is an Active Directory security group in Domain A (source domain) that has an ObjectGUID of 12345.

Does it keep the ObjectGUID 12345 after I use ADMT to migrate it to Domain B? (Target Domain)

Also, if I use ADConnect to sync objects to Azure AD from Domain B, does it still keep the ObjectGUID of 12345 after it syncs to the cloud?

At what point in the process I described, does the ObjectGUID change, if ever? If it DOES change somewhere in the process, is there any way for me set the ObjectGUID to 12345?

azure-active-directoryazure-ad-connect
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

RichardMueller-8175 avatar image
RichardMueller-8175 answered ·

The value of objectGUID is assigned by the system when the object is created and cannot be changed. It is read-only. It is unchanged even if the object is moved or renamed.

However, if the object is synched with Azure, the two objects can be linked by a GUID value. This reference discusses a source anchor attribute, which by default is objectGUID, but can be another GUID attribute:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts


Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.