I've been getting a lot of experience with the Active Directory Migration Tools [ADMT] but it seems like I always have a problem with using SID history between domains. This is more of a reminder for myself how to get SID History to work.

What is SID History

SID History is an attribute of an Active Directory object that stores an old Security IDentifier(SID) mostly commonly used during a migration. So you have an old domain, and you move to a new domain, and the user on the new account maintains access to all of their old files and folders. This saves the hassles of having to re-permission network shares, folder access, applications, etc. In order to use SID history, you must disable SID Filtering and enable SID History on the trust between the domains.

To enable SID History on a trust issue this command:

Netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /userD:domainadministratorAcct/passwordD:domainadminpwd

What is SID Filtering

The nemesis of SID History is SID Filtering. This is a security measure put into place by default that protects your new environment from attackers that may have broken into the old domain. Although you may think, no one's going to get into the old domain, I think that just about every migration I've done, they leave the original domain up and running and then starts to put a low priority on everything in that domain; patches, access control management, event log review all becomes secondary because no one is on it any more and now becomes a fairly large new attack vector. While it makes sense to leave the old environment up and running, it still needs that same care it has always needed.

So that's why SID Filtering is good, but unfortunately, it completely blocks the use of SID History which would be very important during a migration. This command below disables SID Filtering:

Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No /userD:domainadministratorAcct /passwordD:domainadminpwd

External Links

http://technet2.microsoft.com/windowsserver/en/library/52b395b4-0313-47d8-87d4-fb1dd4d5c4701033.mspx?mfr=true - Technet article about disabling SID filtering
http://technet2.microsoft.com/windowsserver/en/library/31915de7-ff58-4f26-a8ec-450ffca759121033.mspx?mfr=true - Technet article about external trusts

This calculation takes the name from a field and turns it into an account name in the format of first initial + last name as well as first name + last initial.

I created this document as part of a migration mapping of user names from a system that used the first name, last initial format for their user accounts and was moving to first intial, last name.

This will take the information in the first column, find the first character [which is hopefully the first character of the username], then get the string from the first character of the last name to the end of the entire string, and finally adding it all together to make the first initial + last name format.
Excel:
=CONCATENATE((LEFT(A2,1)),(MID(A2,(FIND(" ",A2,1)+1),LEN(A2))))

Calc:
=CONCATENATE((LEFT(A2;1));(MID(A2;(FIND(" ";A2;1)+1);LEN(A2))))

This will take the information in the first column, find all the letters from the first character to last character in the first name, and then take the first character that comes after the space between the first name and last name, and finally add them all together to make the firstname + last initial format.
Excel:
=CONCATENATE(LEFT(A2,FIND(" ",A2,1)-1),MID(A2,FIND(" ",A2,1)+1,1))
Calc:
=CONCATENATE(LEFT(A2;FIND(" ";A2;1)-1);MID(A2;FIND(" ";A2;1)+1;1))

I'm sure there are Excel gurus out there that could whip this up like nothing, but I thought it was handy and had never used excel for manipulating strings like this before.

Here's an example of the original file:
Excel:username_manipulations.xls
Calc:username_manipulations.ods