script or command to Import AD USers with SID from CSV

Question

I need to import few users with their SID(and SID History) from our Training domain to Production domain(We have two seperate network setup). Our requirement is Users need to login their existing pc's local profile, once they move to Production environment.

Our setup: Training domian:melbourne.com Domin controller: Training

Production domain: melbourne.com Domin controller: Production

Note: I tried ADMT but it is not allowed to do for source and target as same domain name. It is really appreciate any one’s expertise on this scenario to import AD users and computers.

Answer 1

ADMT is the only supported way of modifying the sIDHistory attribute. That is why I have created a PowerShell cmdlet that can directly modify the Active Directory database and add any value to the sIDHistory attribute.

Here is an example:

Import-Module DSInternals
Stop-Service ntds
Add-ADDBSidHistory -SamAccountName John -SidHistory S-1-5-21-3623811102-3361044346-30300840-500 -DBPath C:\Windows\NTDS\ntds.dit
Start-Service ntds

You can of course create a CSV file with the SamAccountName and SidHistory columns and import it this way:

Import-Csv user.csv | Add-ADDBSidHistory -DBPath C:\Windows\NTDS\ntds.dit

The Add-ADDBSidHistory cmdlet is part of my DSInternals PowerShell Module. Use it at your own risk.

Answer 2

This question is more suited for Super User or Server Fault question as it's not a specific programming/script question.

SIDs are unique per domain, so AFAIK you can't transfer accounts between two separate domains.

S-1-5-21-3623811015-3361044348-30300820-1013

Bold text is "Domain or local computer identifier".

Read more about it at Wikipedia - Security Identifier

What you could do is create a new account in production domain for the user, and add the testing-domain SID in the prod-account's sidhistory attribute.