9

I'm trying to uniquely identify objects in an Active Directory domain. The sAMAccountName or mail address can sadly change, and so can the objectSid. But I saw that there is an objectGUID as well.

I just wonder: Can this change for any reason, or can I assume this will never change?

The reason that I'm asking is that I'm referencing some AD objects from an application and need to come back weeks or months later and still get the object, but the application is unable to have any way to get notified of changes. So I need a value that never changes.

Michael Stum
  • 4,010
  • 4
  • 35
  • 48
  • When and why would the objectSID ever change and how would that ocurr? – joeqwerty Jan 22 '10 at 20:15
  • @joeqwerty See the answer from Matt Simmons. SIDs can change and do change, hence there is even an AD field for "Previous SIDs". I do not know the exact causes, but certain changes to the domain may change the SID. I had some "fun" with that: http://serverfault.com/questions/75912 – Michael Stum Jan 22 '10 at 20:22
  • It makse sense and if I would have thought about it a little more I wouldn't have needed to ask. ;) Thanks much. – joeqwerty Jan 22 '10 at 20:43

4 Answers4

16

http://technet.microsoft.com/en-us/library/cc961625.aspx?ppud=4

To copy and paste: SIDs can sometimes change. The SID for a Group object won't change. The values of other object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it keeps that value for life.

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
  • That's the important line: "The reason for using SIDs at all, and not GUIDs, is for backward compatibility." - also: "[objectGUID] that is unique not only in the enterprise but also across the world" - Thanks! – Michael Stum Jan 22 '10 at 20:24
1

If there is a GUID associated with it, it should never change as GUID stands for Globally Unique Identifier

Nunya
  • 578
  • 4
  • 10
0

THe GUID shouldn't change if you leave the computer as a member of the domain and rename it, But as stated removing it from the domain and adding it back in a new object.

Owen
  • 1
-1

"When an object is assigned a GUID, it keeps that value for life."

Not sure how true this is. I tested this by adding a computer to an AD domain and recording the GUID. I then removed the computer from the domain, renamed it, and then added it back to the same domain. The GUID was different on the computer. I am curious if anyone else can verify this as well.

SilverDragon
  • 1
  • 1
    It is like that because you removed the object and created it anew, so it's not the same object anymore (as evidenced by the new GUID). The object isn't the computer, but the computer's account in the domain. – Falcon Momot Oct 08 '13 at 04:28