To field the 850 question.... In a forest where forest functional level is still 0, the value of "roughly 800" is out there. I say roughly as you'll never hit 800, that's the max # of values on the object more generally. And there are lots of other values already there.
When you increase forest functional level to at least 1, that'll jump to ~1300. Again, that's max on the object, so with other values there it'll be less for you. Finally, I'd point out that more sidHistory values means more SIDs in tokens and such. So if you get too bloated, you have the large token troubleshooting path to go down. That's pretty well understood, but can still be painful for some environments, so I'd consider it before stuffing 200 values in there or something. :) ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 18, 2005 11:26 AM To: [email protected] Subject: RE: [ActiveDir] User Migration...twice To answer both questions: Yes, sidHistory is supposed to be "temporary" but for some that's the lifetime of the product. It's all temporary in the scheme of things right? As for can you hold more than one sid in the sidHistory attribute, yes you can. "Additional sIDHistory Information The sIDHistory is a multivalued attribute of security principals in the Active Directory that may hold up to 850 values" (I believe it's gone up hasn't it?) http://support.microsoft.com/default.aspx?scid=kb;en-us;322970&Product=w insv r2003 Next logical question to ask: Is it a good idea? I don't think so. Makes troubleshooting a nightmare to say the least. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Friday, March 18, 2005 2:15 PM To: [email protected] Subject: RE: [ActiveDir] User Migration...twice Raymond, I apologize in advance for... a) not answering your question b) selfishly replying with another question for my own benefit Along these lines, is the premise behind sidHistory that it should be somewhat temporary in nature? Shouldn't the organization go back and redo all ACLs (if possible!) and then clean out sidHistory afterwards? Or have I got the concept all wrong and the notion of fixing up so many ACLs absurd? Thanks! -DaveC Reuters CIO Infrastructure ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 1:59 PM To: [email protected] Subject: [ActiveDir] User Migration...twice Has anyone successfully migrated user accounts twice, while maintaining SID history both times? We had a group of users migrated from an NT domain to a W2K domain (with SID history, Quest Migrator). We now need to migrate them again from the (now) W2K3 domain to another W2K3 domain. Can we keep both SIDs as SID History? Thanks, rb ----------------------------------------------------------------- Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
