Remove SID History After Migration For One Or More Users

Admins in charge of an Active Directory transfer often have to remove SID history after migration completes. Many new admins are unaware of how important it is to clear out legacy security identifiers from the new AD environment.

Moreover, deleting this immutable code is not as easy as it seems. That is why in this blog, we expose the risks of keeping old SIDs and also give multiple ways of safely removing the SID History parameter.

What is SID History? Why Admins Cleanup SID History After Migration?

Security Identifier history plays an important role in cross forest Active Directory migrations by establishing the trust relationship.
As soon as an object moves into the new environment, the target AD assigns its own SID attribute, so the old value shifts into a new parameter that keeps track of what resources an object had access to. Thus giving the much-needed backward compatibility.
However, post-migration, the same backlink can transform into a security risk and lead to other complications. Some of them are:

• Unauthorized Resource Access: It is not always that the old AD may still be operational after migration. So outdated SID can cause agents from the source AD to gain entry into the new system, increasing the risk of data breaches.
• Excess Token Bloat: Admins want to make their Active Directory infrastructure as efficient as possible. Old users who have been with AD for a long time often have multiple SID history values with them, especially if there was no proper cleanup crew. This can cause problems like Kerberos token bloat. So it is best to remove SID history for one user at a time or all at once.
  

  Also Read: What is Kerberos Authentication in Active Directory 

• AD Compliance Requirements: Critical industries that make use of AD can’t afford to let their data leak, so they are often mandated by law to clear out all sources of information breaches, like SID History. This has the added benefit of making the environment easy to audit.

Now that we know all about SID history and reasons to remove it, let’s go over the manual options admins have at their disposal. If you’re looking for broader strategies for managing your Active Directory, including dealing with inactive users, you might find this guide on exporting inactive users from Active Directory helpful.

How Admins Can Remove SID History for One User or More via PowerShell?

But why are we using PowerShell? Isn’t there an easier way?

Reason is that SID history is not a parameter that standard AD tools like ADUC (Active Directory Users and Computers) or ADAC (Active Directory Administrative Center) can modify.

This is because SID History is a protected attribute owned by the Security Accounts Manager (SAM).

So, administrators must use alternative techniques, like PowerShell. Given below is a script that prints out a list of all user elements with SID history, performs a cleanup operation, then reprints the same user list for visual confirmation:

# Specify the OU where your migrated users reside.  CHANGE THIS TO YOUR OU PATH!
$MigratedUsersOU = "OU=MigratedUsers,DC=yourdomain,DC=com"

# --- Step 1: Find and View SIDHistory ---
Write-Host "--- Finding users with SIDHistory in OU: $MigratedUsersOU ---" -ForegroundColor Yellow
Get-ADUser -SearchBase $MigratedUsersOU -Filter {SIDHistory -like "*"} -Properties SIDHistory | Select-Object SamAccountName, SIDHistory

# --- Step 2: Remove SIDHistory (with error handling) ---
Write-Host "--- Removing SIDHistory from users in OU: $MigratedUsersOU ---" -ForegroundColor Yellow

# Get users with SIDHistory and remove it.
$usersWithSidHistory = Get-ADUser -SearchBase $MigratedUsersOU -Filter {SIDHistory -like "*"} -Properties SIDHistory

if ($usersWithSidHistory) {
  $usersWithSidHistory | ForEach-Object {
      $user = $_.SamAccountName
       $_.SIDHistory | ForEach-Object{
        try {
            Set-ADUser -Identity $User -Remove @{SIDHistory = $_.Value} -ErrorAction Stop
            Write-Host "SIDHistory removed from user: $User" -ForegroundColor Green
        }
        catch {
            Write-Host "ERROR: Failed to remove SIDHistory from user: $User" -ForegroundColor Red
            Write-Host "Error details: $($_.Exception.Message)" -ForegroundColor Red
        }
      }
  }
}
else {
  Write-Host "No users with SIDHistory found in the specified OU." -ForegroundColor Green
}

# --- Step 3: Verify SIDHistory Removal ---
Write-Host "--- Verifying SIDHistory Removal ---" -ForegroundColor Yellow
Get-ADUser -SearchBase $MigratedUsersOU -Filter {SIDHistory -like "*"} -Properties SIDHistory | Select-Object SamAccountName, SIDHistory

Write-Host "--- Script Complete ---" -ForegroundColor Cyan

PowerShell isn’t the only way you delete insecure SIDs from the Active Directory; there are other methods as well.

SID History Cleanup Using ADSI Edit

Caveats:

• High Risk: One mistake can damage AD.
• Not Scalable: Best for just a few objects.
• Limited Auditing: Does not track SID History clean up automatically.
• Replication: Allow time for changes to replicate.

Steps:

1. Press Win + R, type adsiedit.msc, and press Enter.
2. If prompted, select the Default Naming Context.
3. Navigate to the correct OU/container and find the user/group.
4. Right-click the object and select Properties.
5. Go to the Attribute Editor tab and scroll to sIDHistory.
6. Double-click the attribute. In the multi‑value editor, select the old SID(s) and click Remove.
7. Click OK to apply changes. Admins may have to wait for replication in case of multi-domain environments.

Using LDIFDE (for Bulk Operations)

Make sure you have the necessary LDIF Knowledge, as incorrect syntax can cause errors.

Step 1. Open an elevated Command Prompt and run:

ldifde -f users_with_sidhistory.ldf -d "OU=MigratedUsers,DC=example,DC=com" -r "(&(objectClass=user)(sIDHistory=*))" -l "samaccountname,sIDHistory"

Step 2. Open the file in a text editor. For each object, ensure it follows:

dn: CN=SomeUser,OU=MigratedUsers,DC=example,DC=com
changetype: modify
delete: sIDHistory
sIDHistory: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx

Step 3. Import the Modified File by running the import command:

ldifde -i -f users_modified.ldf -s MyDC.example.com -k -j .

Step 4. Use ADUC or ADAC to confirm that sIDHistory has been removed.

Optional Step. Wait for replication to fully propagate across a multi-domain environment (if you have one)

The manual methods described above are far too complicated and have a high chance of mistakes. If you’re undertaking a larger Active Directory migration, you might be interested in exploring alternatives to traditional tools like ADMT. This article on ADMT replacement and alternatives provides some valuable insights. Don’t worry, as we also give you access to a tool that does all the heavy lifting for you.

Best Way to Remove SID History for One User or More During AD Migrations

The latest version of SysTools Migrator for Active Directory brings in a new automated SID history detection and cleanup mechanism. After admins complete an AD migration – a process you can learn more about in this guide on migrating AD objects – they unlock a variety of post-migration options like report generation, GPO manipulation, and of course, SID History removal.

Download Now Purchase Now

The best part is that admins no longer have to worry about complex scripts, as the entire process is in a GUI. All admin has to do is click a few buttons, and their AD becomes free of insecure SID History.

Conclusion

Here, admins saw a variety of ways to remove SID history after migration, be it for one user or all the accounts in their new Active Directory that were brought from another domain. This is an important security measure and a sure-shot way to reduce token size as well. We gave instructions on how to approach this task manually via the console available inside every AD and PowerShell scripts as well. However, manual methods always carry an element of risk. So it is better to migrate with a tool that gives an automated SID cleanup feature.

Frequently Asked Questions

Q. How do I clear SID history in PowerShell?

SID History cleanup can be done via PowerShell scripts, GUI-based ADSI edit, or the LDIFDE command line query. If you use our tool to bring AD users from another domain, you can remove SID history right after the migration ends.

Q. How to check if SID History is enabled or not?

To view whether or not your domain uses the sIDHistory parameter, you can use the ADUC. From the View enable Advanced Features > Right click on the object > Properties > Attribute editor > scroll till you see the sIDHistory parameter. You can also use the netdom trust command.

Q. What does removing SIDHistory access denied mean?

It is a warning flag issued by Active Directory when it detects unauthorized changes being made in sensitive attributes like the SID history. This issue is most likely to occur if you use ADUC to clean up the SID History.

Q. How do I export SID history to CSV in PowerShell?

Open a PowerShell instance and type:

Get-ADUser  -Filter {SIDHistory -like "*"} -Properties SIDHistory | 
Select-Object SamAccountName, SIDHistory | 
Export-Csv -Path "C:\Temp\UsersWithSIDHistory.csv" -NoTypeInformation