Re: sidHistory and DomainUsers
- From: Peter <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 26 Apr 2008 15:29:01 -0700
Hello Ace,
Thank you for your answer.
You are right. There is a two-way trust between the domains and sidHistory
works as described for all objects except for the Domain Users group? There
must be a difference (by design?) in behavior between this and other groups.
I checked the sidHistory attribute and the entries seem fine.
Peter
"Ace Fekay [MVP]" wrote:
In news:F6E80412-E17F-4C10-9FD9-E4A94E76D9EB@xxxxxxxxxxxxx,.
Peter <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
Hello Everybody,
Is someone able to explain me the difference between usind sidHistory
for a 'normal' group and the DomainUsers group. In my migration test
between two domains in different forests the sidHistory for accounts
and groups work perfect. Only access which was granted for 'domain
users' dosn't work. The sidHistory attribute of the 'domain users'
group in the target domain is filled with the sid of the 'domain
users' group of the source domain. Thanks
Peter
sIDHistory is designed to allow migrated users into a new domain access to
source domain resources. Of course I'm assuming there is a two-way trust
between each domain in the forest. Trusts in such cases are only between
domains and not forests. If there are more than one domain in a forest, you
would have to create additional trusts.
If you allow Domain Users, that will allow access for the newly migrated
users in the target domain to a resource in the target domain.
Basically the sIDHistory allows co-existence. Once the old domain is
decommissioned, you would run the sIDHistory cleanup script to remove the
sIDHistory from all migrated users.
Using SID History to Preserve Resource Access
http://technet2.microsoft.com/windowsserver/en/library/6aef68d1-3479-4713-94be-38f8fd02919e1033.mspx?mfr=true
Mark Wilson's blog about sIDHistory
http://blogs.conchango.com/markwilson/archive/2005/07/06/1768.aspx
Maybe this will help:
How to troubleshoot inter-forest sIDHistory migration with ADMTv2
http://support.microsoft.com/kb/322970
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Infinite Diversities in Infinite Combinations
- Follow-Ups:
- Re: sidHistory and DomainUsers
- From: Ace Fekay [MVP]
- Re: sidHistory and DomainUsers
- References:
- sidHistory and DomainUsers
- From: Peter
- Re: sidHistory and DomainUsers
- From: Ace Fekay [MVP]
- sidHistory and DomainUsers
- Prev by Date: Re: local group member cannot access the share.
- Next by Date: Event Viewer Logging Confusion
- Previous by thread: Re: sidHistory and DomainUsers
- Next by thread: Re: sidHistory and DomainUsers
- Index(es):
Relevant Pages
|
