How can I change the SID of a user account in the Active Directory?

Question

I accidentally deleted a user account, and need to recreate it with the same SID. I've created a new user account with the same name, but how do I edit the objectSid attribute? ADSIEDIT errors with "Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)". Any other methods?

I'm giving rep to this question because even though it's something you can't do and shouldn't try, it's a good one and an important point to highlight. :) — Maximus Minimus, Aug 13 '09 at 13:15

score 9 · Accepted Answer · answered Aug 13 '09 at 13:05

9

You can't. You have to do an authoritative restore of the user account in order to get a user back. Have a look at this Technet article.

answered Aug 13 '09 at 13:05

squillman

37,618
10
90
145

Got there before me! – Maximus Minimus Aug 13 '09 at 13:07
Thanks, I will try this instead. Do you know of any way to perform this without rebooting the DC? – Aug 13 '09 at 13:10
Please ignore last comment. I found a way to reboot remotely into DS REPAIR mode so it's ok. – Aug 13 '09 at 13:14

score 3 · Answer 2 · answered Aug 13 '09 at 13:51

3

I know this question has been answered, but for the future you may also look at the tools out there like Quest's Recovery Manager for Active Directory. If you have a system state backup it can recover the object without a reboot of the DC. They've been known to work with folks in a situation like yours to try and get you up and running in hopes of getting a sale. Better, though, is to already have it licensed and in place in case there's a major issue, like someone deleting an OU or something drastic like that.

answered Aug 13 '09 at 13:51

K. Brian Kelley

9,004
31
33

+1, good suggestion. Also investigate if your standard backup software can do granular AD restores. – Maximus Minimus Aug 13 '09 at 16:30
+1 here also. I'll attest to Quest's excellent pre-sale support. I use their LiteSpeed product for SQL Server backups and my rep has bent over backward for me prior to receiving our PO. – squillman Aug 14 '09 at 11:47

Maximus Minimus · Answer 3 · 2017-01-12T15:06:42.567

The answer I'm afraid is "you don't". A good writeup of what SIDs are, what they're used for and how they work is here: http://technet.microsoft.com/en-us/library/cc961998.aspx which should make the reasons why obvious.

Update for 2017

The Active Directory Recycle Bin has been a feature since Windows Server 2008 R2. It's designed for just the scenario in the OP (recovering accidentally deleted objects - "Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers."), removes the need for third-party software (which doesn't always interoperate cleanly, and is not always robust in the face of OS updates), incurs minimal overhead, and has saved my own ass a number of times. Highly recommended.

How can I change the SID of a user account in the Active Directory?

3 Answers3

Linked