How do I move an object in AD without losing the objects SID?

Document ID : KB000053929
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

You can move accounts between OU's using roles, but this method deletes and recreates the account, removing and replacing the SID of the object.

Solution

You can use the LDAP ldapmodrdn.exe that comes with admin to move an account to a different OU while retaining the original SID.

The ldapmodrdn.exe included under %ETAHOME%\Bin is special and includes the -s parameter to allow for moving of an object without destroying the account SID. The usage is as follows:

Rename LDAP entries

usage: ldapmodrdn [options] [dn rdn]
        dn rdn: If given, rdn will replace the RDN of the entry specified by DN
                If not given, the list of modifications is read from stdin or
                from the file specified by "-f file" (see man page).
Rename options:
   -c continuous operation mode (do not stop on errors)
   -f file read operations from 'file'
   -r remove old RDN
   -s newsup new superior entry

Common options:
   -d level set LDAP debugging level to 'level'
   -D binddn bind DN
   -f file read operations from 'file'
   -h host LDAP server
   -H URI LDAP Uniform Resource Indentifier(s)
   -M enable Manage DSA IT control (-MM to make critical)
   -n show what would be done but don't actually update
   -p port port on LDAP server
   -P version procotol version (default: 3)
   -v run in verbose mode (diagnostics to standard output)
   -w passwd bind passwd (for simple authentication)
   -W prompt for bind passwd
   -x Simple authentication
   -Z Start TLS request (-ZZ to require successful response)

Here is an example using a batch to run the ldapmodrdn.exe:

set HOST=<provisioning_server_machine>
set PORT=20389
set DOMAIN=<provisioning_server_domain>

set BINDDN="eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,
eTNamespaceName=CommonObjects,dc=%DOMAIN%,dc=eta"
set PWD=<etaadmin_password>

set NEWSUPDN="eTADSOrgUnitName=Disabled Users,eTADSOrgUnitName=MPI Users,
eTADSDirectoryName=MyADS,eTNamespaceName=ActiveDirectory,dc=%DOMAIN%,dc=eta"

set OBJECTDN="eTADSAccountName=iamtestad1,eTADSOrgUnitName=Standard Users,
eTADSOrgUnitName=MPI Users,eTADSDirectoryName=MyADS,
eTNamespaceName=ActiveDirectory,dc=%DOMAIN%,dc=eta"

set RDN="eTADSAccountName=iamtestad1"

"%ETAHOME%\Bin\ldapmodrdn.exe" -h %HOST% -p %PORT% -D %BINDDN% -w %PWD%
-s %NEWSUPDN% %OBJECTDN% %RDN%