Re: Move User and users Mailbox between different domains

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "Erik Cheizoo" <echeizoo.XenD.nl@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 5 Jan 2007 11:46:46 +0100

Khang,

this is a relative simple and safe operation.
By moving he user from one domain to another within the same forest, the GUID and UPN stay the same, but the SID changes. (GUID is unique in the forest, SID is unique in a domain). Applications in your environment that grant access based upon domain/sAMAccountname will fail because the domain identifier changed. Applications that grant access based upon GUID or UPN (the proper way!) will be fine.

By making sure SID history is enabled, the moved user will have it's old SID in an AD property called SID history. During logon, this SID gets added to the users token, so he/she can access resources based upon the old SID.

Another thing to take into account is Group Membership. The user will loose its memberships for the Global groups he's currently a member of, because Global Groups cannot contain members from other domains. The log file from ADMT will clearly indicate problematic group memberships, so you can correct manually.

--
Kind regards,

Erik Cheizoo
eXcellence & Difference - we keep your business running
============================================
Always test in a non-production environment before implementing
Guidelines for posting: http://support.microsoft.com/?id=555375
============================================

"Khang" <Khang@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:1D4BA2F6-623F-4ABF-AB0E-9D5DCC07CA4D@xxxxxxxxxxxxxxxx

We have two domains - one for europe and one for north america. A user is
moving office from europe to north america. My question is if it's safe for
me to use ADMT to move user account in AD and Exchange System Manager to move
user mailbox from europe domain to north america domain. What do I need to
take into consideration before doing this. Our environment is native Windows
Server 2003 and Exchange Server 2003. Thanks! --Khang

Prev by Date: Re: Server 2003 SP1 and R2 ???
Next by Date: Re: GC single point of failure.
Previous by thread: Server 2003 SP1 and R2 ???
Next by thread: Re: rIDNextRID - should it be on every DC
Index(es):
- Date
- Thread

Relevant Pages

Re: Creating SID Manaully
... Those typically use LDAP under the hood to actually create the user ... you can't specify the GUID or SID. ... however when the students request an account ...
(microsoft.public.windows.server.active_directory)
Re: Disaster Recovery Scenario Help
... memberships etc. by importing lets say LDIF files, ... Each ACE is a SID ... >> promote the DR servers into DCs? ... I have 2 DR servers offsite. ...
(microsoft.public.windows.server.active_directory)
Re: sids and sid history
... posting is provided "AS IS" with no warranties, ... also get a SID which is scoped to a certain AD domain. ... the GUID will NOT change, but the SID will change (remember, the GUID is ... under what circumstances does user object sid's change. ...
(microsoft.public.windows.server.active_directory)
Re: sids and sid history
... The technet article SID vs ... GUID was insghtfull but it is always usefull to get clarification. ... under what circumstances does user object sid's change. ...
(microsoft.public.windows.server.active_directory)
Re: Active directory user accounts
... I don't know how your app pulls the users in, ... The SID is fixed to the user unless the user is moved to another domain. ... The GUID is fixed for every object in the forest. ... I create groups in this software and move the active directory users into different groups. ...
(microsoft.public.win2000.active_directory)