Remove SID History After Migration For One Or More Users

Admins in charge of an Active Directory transfer often have to remove SID history after migration completes. Many new admins are unaware how important it is to clear out legacy security identifiers from the new AD environment.
Moreover, deleting this immutable code is not as easy as it seems. That is why in this blog we expose the risks of keeping old SID’s and also give multiple ways of safely removing the SID History parameter.

What is SID History Why Admins Have to Remove it After Migration ?

Security Identifier history plays an important role in cross forest active directory migrations by establishing the trust relationship.
As soon as an object moves in the new environment the target AD assigns its own SID attribute so the old value shifts into a new parameter that keeps track of what resources an object had access to. Thus giving the much needed backward compatibility.
However, post migration the same backlink can transform into a security risk and lead to other complications. Some of them are:

• Unauthorized Resource Access: It is not always that the old AD is decommissioned after migration. So outdated SID can cause agents from the source AD to gain entry into the new system increasing the risk of data breaches.
• Excess Token Bloat: Admins want to make their Active Directory infra as efficient as possible. Old users who have been with AD for a long time often have multiple SID history values attached to them, especially if proper cleaning was ignored previously. Which can cause problems like Kerberos token bloat. So it is best to remove SID history for one user at a time or all at once.
• AD Compliance Requirements: Critical industries that make use of AD’s can’t afford to let their data leak so they are often mandated by law to clear out all sources of information breach like SID History. This has the added benefit of making the environment easy to audit.

Now that we know all about SID history and reasons to remove it, let’s go over the manual options admins have at their disposal. If you’re looking for broader strategies for managing your Active Directory, including dealing with inactive users, you might find this guide on exporting inactive users from Active Directory helpful.

How Admins can Remove SID History for One User or More via PowerShell?

Unlike many other parameters that standard AD tools like ADUC (Active Directory Users and Computers) or ADAC (Active Directory Administrative Center) can modify, SID history can’t be altered directly. This is because SID History is a protected attribute owned by the Security Accounts Manager (SAM).
So, administrators must use alternative techniques, like PowerShell. Given below is a script that prints out a list of all user elements with SID history, removes them, then re-prints the same user list for visual confirmation:

# Specify the OU where your migrated users reside.  CHANGE THIS TO YOUR OU PATH!
$MigratedUsersOU = "OU=MigratedUsers,DC=yourdomain,DC=com"

# --- Step 1: Find and View SIDHistory ---
Write-Host "--- Finding users with SIDHistory in OU: $MigratedUsersOU ---" -ForegroundColor Yellow
Get-ADUser -SearchBase $MigratedUsersOU -Filter {SIDHistory -like "*"} -Properties SIDHistory | Select-Object SamAccountName, SIDHistory

# --- Step 2: Remove SIDHistory (with error handling) ---
Write-Host "--- Removing SIDHistory from users in OU: $MigratedUsersOU ---" -ForegroundColor Yellow

# Get users with SIDHistory and remove it.
$usersWithSidHistory = Get-ADUser -SearchBase $MigratedUsersOU -Filter {SIDHistory -like "*"} -Properties SIDHistory

if ($usersWithSidHistory) {
  $usersWithSidHistory | ForEach-Object {
      $user = $_.SamAccountName
       $_.SIDHistory | ForEach-Object{
        try {
            Set-ADUser -Identity $User -Remove @{SIDHistory = $_.Value} -ErrorAction Stop
            Write-Host "SIDHistory removed from user: $User" -ForegroundColor Green
        }
        catch {
            Write-Host "ERROR: Failed to remove SIDHistory from user: $User" -ForegroundColor Red
            Write-Host "Error details: $($_.Exception.Message)" -ForegroundColor Red
        }
      }
  }
}
else {
  Write-Host "No users with SIDHistory found in the specified OU." -ForegroundColor Green
}

# --- Step 3: Verify SIDHistory Removal ---
Write-Host "--- Verifying SIDHistory Removal ---" -ForegroundColor Yellow
Get-ADUser -SearchBase $MigratedUsersOU -Filter {SIDHistory -like "*"} -Properties SIDHistory | Select-Object SamAccountName, SIDHistory

Write-Host "--- Script Complete ---" -ForegroundColor Cyan

PowerShell isn’t the only way you delete unsecure SID’s from the Active directory; there are other methods as well.

Using ADSI Edit

Caveats:

• High Risk: One mistake can damage AD.
• Not Scalable: Best for just a few objects.
• Limited Auditing: Changes aren’t automatically tracked.
• Replication: Allow time for changes to replicate.

Steps:

1. Press Win + R, type adsiedit.msc, and press Enter.
2. If prompted, select the Default Naming Context.
3. Navigate to the correct OU/container and find the user/group.
4. Right-click the object and select Properties.
5. Go to the Attribute Editor tab and scroll to sIDHistory.
6. Double-click the attribute. In the multi‑value editor, select the old SID(s) and click Remove.
7. Click OK to apply changes. Admins may have to wait for replication in case of multi domain environments.

Using LDIFDE (for Bulk Operations)

Make sure you have the necessary LDIF Knowledge as incorrect syntax can cause errors.

Step 1. Open an elevated Command Prompt and run:

ldifde -f users_with_sidhistory.ldf -d "OU=MigratedUsers,DC=example,DC=com" -r "(&(objectClass=user)(sIDHistory=*))" -l "samaccountname,sIDHistory"

Step 2. Open the file in a text editor. For each object, ensure it follows:

dn: CN=SomeUser,OU=MigratedUsers,DC=example,DC=com
changetype: modify
delete: sIDHistory
sIDHistory: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx
-

Step 3. Import the Modified File by running the import command:

ldifde -i -f users_modified.ldf -s MyDC.example.com -k -j .
            

Step 4. Use ADUC or ADAC to confirm that sIDHistory has been removed.

Optional Step. Wait for replication to fully propagate across multi domain environment (if you have one)

The manual methods described above are far too complicated and have a high chance of mistakes. If you’re undertaking a larger Active Directory migration, you might be interested in exploring alternatives to traditional tools like ADMT. This article on ADMT replacement and alternative provides some valuable insights. Don’t worry, as we also give you access to a tool that does all the heavy lifting for you.

Best Way to Remove SID History for One User or More During AD Migrations

The latest version of SysTools Migrator for Active Directory brings in a new automated SID history detection and removal mechanism. After admins complete an AD migration – a process you can learn more about in this guide on migrating AD objects – they unlock a variety of post-migration options like report generation, GPO manipulation, and of course, SID History removal.

Download Now Purchase Now

The best part is admins no longer have to worry about complex scripts as the entire process is GUI based. All admins have to do is click a few buttons and their AD becomes free of insecure SID History.

Conclusion

Here, admins saw a variety of ways to remove SID history after migration, be it for one user or all the accounts in their new Active Directory that were brought from another domain. This is an important security measure and a sure-shot way to reduce token size as well. We gave instructions on how to approach this task manually via the console available inside every AD and PowerShell scripts as well. However, manual methods always carry an element of risk. So it is better to migrate with a tool that gives an automated SID cleanup feature.