When working with the AddSidHistory call, I was getting this error. I was stumped as I had followed all of the permissions required for the account running the script. (These are all documented in the clonepr.doc.)

It turns out it was one or possibly two things:

1. For some reason, the delegate control for “Migrate SID” wasn’t on one of the OUs, even though I’d granted it at root level. (Probably a user error there as it was late in the day.)

2. This was a lab environment and I thought I was working off of PDCs, but nope. Turns out there were PDCs hidden from me.

In total, here are the permissions I granted the service account:

– delegate control to migrate SIDs.
– Administrator member on source domain and Domain Admin on target domain.
– Create the target group domainName = “$$$” to hold users having their SIDs migrated. (Don’t put the users in there, the code will do that for you.)
– Granted the service account Full Control over the target OU and Read over the source OU. (This may be overkill…And I’d think adding the user to Domain Admins should do taht anyway, but the client has a complex AD security structure.)
– Enabled the event logging for changes to SIDs via the Account Management option in Local POlicies (clonepr.doc has the steps to do this).
– Ran the script on the target PDC.

Hope that helps someone.