Re: Policy from old domain applying to computers in new domain...

When you move objects from one domain to another, there is a bread crumb
trail that helps keep the old permissions still valid, this is accomplished
through sidHistory. To remove the old permissions (Which you won't easily
see) you need to use a vbScript that Microsoft has posted.

http://support.microsoft.com/default.aspx?scid=kb;en-us;295758

Be careful you may not realize how much you are actually using the migrated
security. I would do this to one user or group and see the effects before
doing a wholesale removal. You may be surprised how much security is
dependent upon this. So you understand any machines you brought across may
have files and folders that need to be re-acl'd and the only way users are
gain access currently is through sidHistory.

http://www.microsoft.com/technet/solutionaccelerators/ucs/ds/dmcnmg/dcmplg.mspx

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"ieden" <ieden@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1D35A116-6A7D-4A25-9027-739C967703B6@xxxxxxxxxxxxxxxx
How do I remove them?
I assumed, possible erroneously that a computer which has been migrated
using ADMT to a new domain would only receive policy from the new domain.
I'm finding that some users in the new domain are getting domain policy
settings from the old domain.
There are also for lack of a better word "ghost profiles" on each PC.
This isn't earth shattering as the domain is up and running, it bothers me
because policy being applied from a domain I plan on turning off in the
future bothers me.
Besides, the policies remain even after removing the computer from the new
domain and adding it back again.
Any help would be appreciated.



.

Relevant Pages

  • Re: Policy from old domain applying to computers in new domain...
    ... To remove the old permissions (Which you won't easily ... gain access currently is through sidHistory. ... using ADMT to a new domain would only receive policy from the new domain. ... future bothers me. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password problem .
    ... Check their account properites/account in AD to make sure that user can not ... We have a policy on the domain to change a ... > anonymous permissions is not enable in the Local Security ...
    (microsoft.public.win2000.security)
  • Re: Security Policy Error
    ... the locked-down security that was originally set on the FRS through Group ... When you attempt to configure the FRS through Group Policy, ... > any service with misconfigured permissions, ...
    (microsoft.public.win2000.security)
  • Re: Preventing browsing
    ... permissions are restrictive enough to prevent them from doing damage. ... ntfs permissions for the everyone group to read/list/execute. ... effective settings in Local Security Policy for those configurations. ...
    (microsoft.public.win2000.security)
  • Re: Permissions assignment ?
    ... has permissions for everyone will allow ... If you do such you may need to modify the security ... Security Policy under security settings/local policies/security options ... > with a login prompt when they try to access the share. ...
    (microsoft.public.windows.server.security)