10

I have two AD groups which were erroneously created while there should instead have been only one group; they contain the exact same users. However, these groups have been assigned various permissions on variuos resources (like file shares), and I'm unable to track all of them and reset them to only refer to one group.

Can I "merge" the two groups if I delete one of them and put its SID in the SID history of the other one? Will this allow the members of the remaining group to access those resources for which permissions have been granted to the deleted one?

Update:

Looks like there is no easy way to add a SID to the SID history of an user or group; at least, both ADUC and ADSIEdit are unable to do this. If the above described trick works, how can this be actually accomplished?

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • I don't believe you can do this...but that said, you may consider removing the members from one group and just nesting the one that contains the users inside the other. That should allow you to keep both in ACLs and still function ok, I would presume. – TheCleaner Dec 04 '13 at 21:58
  • 1
    Sorry, meant to add...that would allow you to only have to update the one that still had members remaining for adds/removes of users in that group. Take the group that has no members in it and rename it to something like "IT NEEDS TO CHECK" - then you could just make a note that anytime you ever see this (or run an ACL query for it) to change it to the nested group instead...eventually you could remove the "top level" group itself. – TheCleaner Dec 04 '13 at 22:09
  • This is already our situation, the groups have already been nested. But we would really like to get rid of one useless group. – Massimo Dec 05 '13 at 07:14

1 Answers1

3

You can't modify the SIDHistory attribute as it's a protected attribute.

One of the only supported methods of doing so is using the AD Migration Tool. There are some Powershell/scripts but they all would require that the groups reside in different domains/forests.

The only way you would be able to accomplish this is as TheCleaner specified. You would make the group that you want to use moving forward (group 1) a member of the "legacy" group (group 2) so that all members of group 1 are members of group 2. You would then remove the users from group 2 and just add new users to group 1.

HostBits
  • 11,776
  • 1
  • 24
  • 39