Does the ObjectGUID of an AD security group ever change? Can it be changed?

AD Admin 21 Reputation points
2020-04-26T16:14:02.137+00:00

Let's say I am using ADMT to migrate user and group objects from Domain A to Domain B.

Let's assume there is an Active Directory security group in Domain A (source domain) that has an ObjectGUID of 12345.

Does it keep the ObjectGUID 12345 after I use ADMT to migrate it to Domain B? (Target Domain)

Also, if I use ADConnect to sync objects to Azure AD from Domain B, does it still keep the ObjectGUID of 12345 after it syncs to the cloud?

At what point in the process I described, does the ObjectGUID change, if ever? If it DOES change somewhere in the process, is there any way for me set the ObjectGUID to 12345?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,672 questions
0 comments
Accepted answer
  1. Richard Mueller 366 Reputation points
    2020-04-26T19:02:43.893+00:00

    The value of objectGUID is assigned by the system when the object is created and cannot be changed. It is read-only. It is unchanged even if the object is moved or renamed.

    However, if the object is synched with Azure, the two objects can be linked by a GUID value. This reference discusses a source anchor attribute, which by default is objectGUID, but can be another GUID attribute:

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest