Content Management and Capture

 View Only
  • 1.  Change SID of an Active Directory User

    Posted Fri November 01, 2024 06:32 AM

    Hi teccies,

    I have a question and maybe some of you had a similar issue in the past. A customer of us unfortunately deleted two uers from the AD system. But these users where Owner of some configuration objects in the object store. So currently none of the others admin user have access to these objects. Is there a possibilty to create a new user with the SID of the old one or update the SID afterwards in the AD object?

    Many thanks!



    ------------------------------
    Benjamin Just
    Senior Consultant Enterprise Content Management
    TIMETOACT GROUP
    Cologne
    ------------------------------


  • 2.  RE: Change SID of an Active Directory User

    Posted Mon November 04, 2024 02:58 AM

    Hi,

    Creating a new user in Active Directory with the same SID as the deleted user is not straightforward and generally not recommended. Maybe some AD expert will be able to do it. I would rather recommend taking ownership of the objects. As a GCD Admin or ObjectStore Admin, you may be able to update the ownership of configuration objects using the FileNet API or the Administration Console for Content Platform Engine (ACCE).:

    • Use ACCE to navigate to the configuration objects and manually reassign ownership or modify permissions.
    • Or, use a custom script via FileNet's APIs to change the owner of these objects to another admin user.



    ------------------------------
    Miroslav Richter
    ------------------------------



  • 3.  RE: Change SID of an Active Directory User

    Posted Mon November 04, 2024 03:06 AM

    Hi Miroslav,

    thanks for your feedback. We taked with AD experts and unfortunately it is not possibel to set the SID during the creation process or afterwards. In our case only the deleted users are the owner of the object and no other user have access. So I am not sure if we can change the owner via API as we have no other user that have access to the object. Well I guess I need to follow some other possibilities. 

    Thanks!



    ------------------------------
    Benjamin Just
    Senior Consultant Enterprise Content Management
    TIMETOACT GROUP
    Cologne
    ------------------------------



  • 4.  RE: Change SID of an Active Directory User

    Posted Mon November 04, 2024 03:14 AM

    Can you share with us a screenshot of ACL (Security tab) on ObjectStore level? Is there any ACE with Full Control permission?



    ------------------------------
    Miroslav Richter
    ------------------------------



  • 5.  RE: Change SID of an Active Directory User

    Posted Mon November 04, 2024 03:21 AM

    Hi yes there are one group and two users on OS level that have full permission. But also these user does not see the security settings of the TableDefinition class objects. 



    ------------------------------
    Benjamin Just
    Senior Consultant Enterprise Content Management
    TIMETOACT GROUP
    Cologne
    ------------------------------



  • 6.  RE: Change SID of an Active Directory User

    Posted Mon November 04, 2024 03:27 AM

    Go to the Permissions tab on the configuration objects you need to fix, find the Owner property, and rewrite the unknown SID with one of the users who have full permissions at the ObjectStore level. Then, after refresh of object you will be able to change ACL as you like.



    ------------------------------
    Miroslav Richter
    ------------------------------



  • 7.  RE: Change SID of an Active Directory User

    Posted Mon November 04, 2024 03:44 AM

    Hi Miroslav,

    thanks for the idea that worked. Many thanks!



    ------------------------------
    Benjamin Just
    Senior Consultant Enterprise Content Management
    TIMETOACT GROUP
    Cologne
    ------------------------------



  • 8.  RE: Change SID of an Active Directory User

    Posted Mon November 04, 2024 10:43 AM

    Have you tried running the security script wizard to update the ACLs on objects owned by these missing accounts?  See here for details: https://www.ibm.com/docs/en/filenet-p8-platform/5.6.0?topic=security-script-wizard



    ------------------------------
    RUTH Hildebrand-Lund
    ------------------------------