I am seeing groups that either contain the current or prior SidHistory for a user in a large complex AD Forest with many domains.
Is it possible to look at the first half of the SidHistory and identify which Tree or Domain that a particular Sid entry came from?
Is this behavior expected? Under what conditions?
Should these groups, with legacy Sids, be cleaned up somehow? (or not)
Is it possible to look at the first half of the SidHistory and identify which Tree or Domain that a particular Sid entry came from?
Not usually. SIDHistory SIDs are typically from domains that were migrated from and hopefully no longer exist. If they do exist you could try running Sysinternals psgetsid.exe [SID] to see if it resolves to something.
Is this behavior expected? Under what conditions?
Yes, when your organization performed a migration that created the SIDHistory SIDs.
Should these groups, with legacy Sids, be cleaned up somehow?
Yes, that's the concept.
Is it possible to look at the first half of the SidHistory and identify which Tree or Domain that a particular Sid entry came from?
Assume that Domain A is your source domain and Domain B is your destination domain. If the account is migrated with SID History, the migrated account in Domain B will have an attribute that holds the SID of the original account from Domain A.
Is this behavior expected? Under what conditions?
As said above If the account is migrated with SID History
Should these groups, with legacy Sids, be cleaned up somehow? (or not)
You can use script method to remove Sid history attribute.
