Udostępnij za pośrednictwem


Powershell - Copy ObjectGuid to MS-DS-ConsistencyGuid

 

Not going to go into much detail on why this is needed just wanted to provide a quick and easy solution to automate this task via PowerShell.  If you plan on leveraging this to handle forest migrations and plan to use the MS-DS-ConsistencyGuid as a source anchor in Azure AD make sure to research these changes first and test.  Azure AD Connect will require some configuration that wont be covered in this post. 

 

This script sample can be ran as a schedule task or just ran by an admin as needed. This cmdlet will only update group and user objects that’s MS-DS-ConsistencyGuid  attribute contain no value.  Unlike most of my scripts I am not looping through the domains in a forest.

 

 get-adobject -ldapfilter "(&(|(objectClass=user)(objectClass=group))(!(IsCriticalSystemObject=TRUE))(!(mS-DS-ConsistencyGuid=*)))" `
     -Properties mail, userprincipalname, objectguid, 'mS-DS-ConsistencyGuid' | ForEach-Object {
         Set-adobject -Identity $_.DistinguishedName -Replace @{'mS-DS-ConsistencyGuid'=$($_.objectguid)}}

Use this to verify it worked

 get-adobject -ldapfilter "(&(|(objectClass=user)(objectClass=group))(!(IsCriticalSystemObject=TRUE)))" `
     -Properties mail, userprincipalname, objectguid, 'mS-DS-ConsistencyGuid' | select `
     samaccountname, mail, objectguid, @{name='ms-ds-consistencyguid';expression={[guid]$_.'ms-ds-consistencyguid'}} -First 10

 

update:

Results

image

Comments

  • Anonymous
    February 01, 2017
    Thank you so much Chad, it is a LIFE SAVER!!!!! We are migrating users from one forest to another and users are already syncing to the tenant.
    • Anonymous
      February 13, 2017
      Great, hopefully it worked for you.
  • Anonymous
    August 31, 2017
    I must be confused or something. When I use get-aduser to retrieve the ms-ds-consistencyguid it's show as what appears to be Hex array. How do I convert it so I can base64 encode to compare the value against the ImmutableID from Azure?
  • Anonymous
    September 05, 2017
    get-aduser chad -Properties "ms-ds-consistencyguid" | select samaccountname, objectguid, @{name='ms-ds-consistencyguid';expression={[GUID]$_.'ms-ds-consistencyguid'}}you can type it as a [guid]
    • Anonymous
      September 08, 2017
      Awesome. thanks a million