diff --git a/cmd/agent/main.go b/cmd/agent/main.go
index 2d442b2f526..9290e753496 100644
--- a/cmd/agent/main.go
+++ b/cmd/agent/main.go
@@ -81,7 +81,7 @@ func main() {
 			}
 			err = bindingErr
 		} else if os.Getenv("AD_GUID_CLEANUP") == "true" {
-			err = clean.ListAdUsers(nil)
+			err = clean.UnmigrateAdGUIDUsers(nil, false)
 		} else {
 			err = run(ctx)
 		}
diff --git a/pkg/agent/clean/active_directory.go b/pkg/agent/clean/active_directory.go
index 1e81aa97a5d..5c1d752f15c 100644
--- a/pkg/agent/clean/active_directory.go
+++ b/pkg/agent/clean/active_directory.go
@@ -292,9 +292,24 @@ func prepareClientContexts(clientConfig *restclient.Config) (*config.ScaledConte
 	return sc, adConfig, nil
 }
 
-// ListAdUsers is purely for debugging. If this is still here, fail the PR. :P
-func ListAdUsers(clientConfig *restclient.Config) error {
-	if os.Getenv("DRY_RUN") == "true" {
+// UnmigrateAdGUIDUsersOnce will ensure that the migration script will run only once.  cycle through all users, ctrb, ptrb, tokens and migrate them to an
+// appropriate DN-based PrincipalID.
+func UnmigrateAdGUIDUsersOnce(sc *config.ScaledContext) error {
+	migrationConfigMap, _ := sc.Core.ConfigMaps("cattle-system").GetNamespaced("cattle-system", "ad-guid-migration", metav1.GetOptions{})
+	if migrationConfigMap != nil {
+		migrationStatus := migrationConfigMap.Data["ad-guid-migration-status"]
+		if migrationStatus == StatusMigrationFinished {
+			logrus.Infof("The migration has already been completed")
+			return nil
+		}
+	}
+	return UnmigrateAdGUIDUsers(&sc.RESTConfig, false)
+}
+
+// UnmigrateAdGUIDUsers will cycle through all users, ctrb, ptrb, tokens and migrate them to an
+// appropriate DN-based PrincipalID.
+func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool) error {
+	if dryRun || os.Getenv("DRY_RUN") == "true" {
 		logrus.Infof("[%v] DRY_RUN is true, no objects will be deleted/modified", listAdUsersOperation)
 		dryRun = true
 	}
diff --git a/pkg/multiclustermanager/app.go b/pkg/multiclustermanager/app.go
index e1b72f46aaf..b6d27190d6f 100644
--- a/pkg/multiclustermanager/app.go
+++ b/pkg/multiclustermanager/app.go
@@ -214,7 +214,7 @@ func (m *mcm) Start(ctx context.Context) error {
 			return errors.Wrap(err, "failed to telemetry")
 		}
 
-		clean.ListAdUsers(&m.ScaledContext.RESTConfig)
+		clean.UnmigrateAdGUIDUsersOnce(m.ScaledContext)
 		tokens.StartPurgeDaemon(ctx, management)
 		providerrefresh.StartRefreshDaemon(ctx, m.ScaledContext, management)
 		managementdata.CleanupOrphanedSystemUsers(ctx, management)