Re: Query on User and Data migration

From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
Date: Tue, 4 Apr 2006 08:31:45 +0100

...I understand that though I am seeing the AD user in the permission
list, the NTFS permissions are still for the SID history (NT user) not for
the SID (AD User). Please correct me if my understanding is wrong.

Correct.

If the permissions are only for the SID history (NT user), even after
deleting the user from NT domain how the access is provided or it is no
more related with the NT domain and the Resource can be accessed using SID
history even though the NT domain structure is removed (after all user
migration).

The SID is now stored in the sIDHistory attribute of the user object. When
a DC builds a user's access token, it uses both the user's SID and group
SIDs _and_ the SIDs stored in sIDHistory.

You suggested to Re-ACL the folders. I see SubInACL tool to do this. But
to do Re-ACL for millions of folders, I need to run this command line tool
millions of times (once for each permission). Is there any other easy way
to get this done? Please provide your inputs on this. As I am in process
of my File data migration, your inputs will help me in deciding the
migration strategy.

There's no real easy way of doing this. The easiest is to let ADMT
translate the security on the computer accounts during migration. Otherwise
it is a case of manually translating or modifying the permissions on all
resources. SUBINACL can help here. The idea being you run it against your
data directories and main parent directories and the file system handles the
rest via inheritance. Or SUBINACL can probably trawl through everything.
There may well be other tools too.

Another option is to remove existing permissions and re-permission for new
groups. Basically, re-evaluating your permissions.

Neither are quick and easy.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

.

References:
- Re: Query on User and Data migration
  - From: Paul Williams [MVP]

Prev by Date: Re: Unable to add Domain Controller to Forest
Next by Date: Re: demoting a DC
Previous by thread: Re: Query on User and Data migration
Next by thread: Disable Success Audits Server 2003 EE
Index(es):
- Date
- Thread

Relevant Pages

RE: Data migration without trusts
... Each user account has a unique SID, and the NTFS authorization is based ... which mainly consists of SID ... not their SIDs directly when viewing the NTFS permissions? ... In addition, as for user profile, the USFT (User State Migration Tool) is ...
(microsoft.public.windows.server.migration)
Re: sIDHistory & SID Filtering...
... If I can remove sIDHistory from AD all together, ... If you have already migrated the user accounts and kept the SID history. ... >successfully completed our migration and no longer require sIDHistory. ...
(microsoft.public.windows.server.migration)
Re: Domain trust message during NT group migration to 2003 AD using ADMT
... because the target domain may not trust the account's domain'. ... 2004-03-15 09:34:17 Active Directory Migration Tool, ...
(microsoft.public.windows.server.migration)
Re: ACLs and permissions viewed after Migrating from NT 4 domain... The twilight zone?
... And if I decomission the old NT4 domain this should ... > (the little problem I have noticed is that if you give permissions to both ... >> to the new w2k user's sid history. ... >> it also checks the sid history when attempting to crack a sid to a user. ...
(microsoft.public.win2000.security)
Re: What happens with SIDs in Migration?
... Microsoft MVP Windows Server - Active Directory ... > looks for a DC and queries the ADS the the SID - and I mean the "old" SD ... then in Windows Server 2003 SID history would be cleared ... >>> intraforest migration of users and computers. ...
(microsoft.public.win2000.active_directory)