Re: Policy from old domain applying to computers in new domain...

Thank you Paul.

I hope this doesn't turn into a resume generating event 8-)

"Paul Bergson [MVP-DS]" wrote:

When you move objects from one domain to another, there is a bread crumb
trail that helps keep the old permissions still valid, this is accomplished
through sidHistory. To remove the old permissions (Which you won't easily
see) you need to use a vbScript that Microsoft has posted.

http://support.microsoft.com/default.aspx?scid=kb;en-us;295758

Be careful you may not realize how much you are actually using the migrated
security. I would do this to one user or group and see the effects before
doing a wholesale removal. You may be surprised how much security is
dependent upon this. So you understand any machines you brought across may
have files and folders that need to be re-acl'd and the only way users are
gain access currently is through sidHistory.

http://www.microsoft.com/technet/solutionaccelerators/ucs/ds/dmcnmg/dcmplg.mspx

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"ieden" <ieden@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1D35A116-6A7D-4A25-9027-739C967703B6@xxxxxxxxxxxxxxxx
How do I remove them?
I assumed, possible erroneously that a computer which has been migrated
using ADMT to a new domain would only receive policy from the new domain.
I'm finding that some users in the new domain are getting domain policy
settings from the old domain.
There are also for lack of a better word "ghost profiles" on each PC.
This isn't earth shattering as the domain is up and running, it bothers me
because policy being applied from a domain I plan on turning off in the
future bothers me.
Besides, the policies remain even after removing the computer from the new
domain and adding it back again.
Any help would be appreciated.




.

Relevant Pages

  • Re: Policy from old domain applying to computers in new domain...
    ... To remove the old permissions (Which you won't easily ... You may be surprised how much security is ... using ADMT to a new domain would only receive policy from the new domain. ... future bothers me. ...
    (microsoft.public.windows.server.active_directory)
  • Re: [RFC][PATCH] Privilege dropping security module
    ... dpriv.c contains the struct security_operations hooks for dpriv. ... You're masking file permissions. ... And stick with your namespace, ... * Parse policy lines one at a time. ...
    (Linux-Kernel)
  • [RFC][PATCH] Privilege dropping security module
    ... dpriv.c contains the struct security_operations hooks for dpriv. ... * under the terms of the GNU General Public License as published by the Free ... * Parse policy lines one at a time. ... * Open file descriptors and their implied permissions based on @policy ...
    (Linux-Kernel)
  • Re: Access to Network and Dial-Up Connections blocked
    ... John John wrote: ... if a NoPropertiesMyComputer policy exists: ... I re-enabled Remove Network Connection from ... If this is a permissions issue check and make sure that you have ...
    (microsoft.public.win2000.general)
  • Re: Automated logoff using Winexit.scr
    ... New OU - New Policy ... Settings: Configure this key then Propogate inheritable permissions to ... Permissions granted: Authenticated Users: Read/Special ... test GPO linked to it trying to accomplish that and move a couple computers ...
    (microsoft.public.windows.group_policy)
Loading