先取得有SIDHistory的資料才好辦事
Get-aduser -filter * -properties sidhistory | Where sidhistory
移除不必要的資料,留下SAMAccountName跟SIDHistory,修改這個指令後處理。如果是要處理群組就把aduser改成adgroup就可以了。
Set-ADUser -Identity <<SAMAccountName>> -Remove @{SIDHistory='<<SIDHistory>>'}
參考資料:
I need to identify all users with SIDhistory for a migration
https://stackoverflow.com/questions/43877310/i-need-to-identify-all-users-with-sidhistory-for-a-migration
AD Security – [Day33] 一起來學 AD 安全吧!: Active Directory Object Modification(1)- SID-History injection
https://ithelp.ithome.com.tw/articles/10309207