What Is the SID History?

Read on to learn why and how Windows stores historical SID data.

The SID history is a special attribute of Active Directory objects meant to support migration scenarios. As the name indicates, it contains the previous SID (security identifier) of the object. Although the SID itself cannot be changed, objects can be assigned new SIDs if they are migrated from one Windows domain to another. Objects such as user accounts may therefore have historical SIDs from previous domains on top of their current SID.

The reason for storing the historical SID is to allow continued access to the previous domain. While migrating domains, users may still need to access resources from the old infrastructure. The problem is that the Access Control Lists (ACL) that check for the required permissions still use the historical SID. Therefore, storing old SIDs alongside new SIDs allows users to be identified across multiple domains.

Activating the SID history during domain migration might trigger a “token bloat”, also referred to as a “MaxTokenSize problem”.

Whitepaper

Best Practices for Access Management In Microsoft® Environments

An in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation.

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.