Hello,

Despite the believing, yes, it is possible to remove SIDHistory with PowerShell, but it’s not as easy as you can think. Indeed, if you try like this, it will fail :

Get-ADUser -Identity Test1 -Properties SidHistory | Set-ADUser -Clear SidHistory

Remove SidHistory with PowerShell

Get-ADUser -Identity Test1 -Properties SidHistory | Set-ADObject -Clear SidHistory

Remove SidHistory with PowerShell

Even if you are the administrator of the domain :

Administrator

The error message can be disturbing :

Set-ADUser : Access is denied

So you may want to try to use the same cmdlets as SYSTEM on a Domain Controller to avoid permission issues :

Remove SidHistory with PowerShell as a Domain Controller

It fails too.

Remove SIDHistory PowerShell

The way to go is to remove the SID in the SIDHistory one by one. First, you need to identify the SID in the SIDHistory attribute on the user :

Get-ADUser -Identity Test1 -Properties SidHistory | Select-Object -ExpandProperty SIDHistory

Sid History on user Test1

Then, you can remove them, one by one :

Set-ADUser -Identity Test1 -Remove @{SIDHistory='S-1-5-21-2318250509-2900162015-863429321-1127'}

Remove SidHistory PowerShell

Or remove all of them with a simple ForEach-Object loop :

Get-ADUser -Identity Migrated3 -Properties SidHistory | Select-Object -ExpandProperty SIDHistory | Select-Object -ExpandProperty Value
Get-ADUser -Identity Migrated3 -Properties SidHistory | Select-Object -ExpandProperty SIDHistory | Select-Object -ExpandProperty Value | % {Set-ADUser -Identity Migrated3 -Remove @{SIDHistory="$_"}}
Get-ADUser -Identity Migrated3 -Properties SidHistory | Select-Object -ExpandProperty SIDHistory

Remove all SidHistory with PowerShell

Here you go, the user do not have any SIDHistory in your domain. You can easily do it for all users in your domain at the end of your Active Directory Migration as a cleanup task, this will reduce your token size and improve your security.