Re: sidHistory and DomainUsers
- From: Peter <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 Apr 2008 08:44:01 -0700
Hi Dean,
sorry for the EMail. My fault.
Your script runs in our test environment were we test a strategy for the
real migration between 2 domains. Our problem is a migrated user (moved from
domain A to domainB) who want to access resources in his old domain
(domainA).
Trusts and involved domains are equal to the real world. You second scripts
shows the trusts as followed.
It looks like a SID filtering issue but SID filtering is off.
trustDump V1.0 / Dean Wells - March 2007
+ Working ...
+ TRUST: 'smt711.paworld.net' trusts 'PAWORLD.NET'
- Trust type : Intra-forest
- SID filtering: N/A
+ TRUST: 'smt711.paworld.net' trusts 'SMT811.qaworld.net'
- Trust type : Inbound
- SID filtering: N/A
- Complete
trustDump V1.0 / Dean Wells - March 2007
+ Working ...
+ TRUST: 'smt811.qaworld.net' trusts 'qaworld.net'
- Trust type : Intra-forest
- SID filtering: N/A
+ TRUST: 'smt811.qaworld.net' trusts 'SMT711.PAWORLD.NET'
- Trust type : Inbound
- SID filtering: N/A
- Complete
"Dean Wells (MVP)" wrote:
Who knew I'd end up regretting putting my email addy in those scripts,.
c'est la vie! Could I ask that if you run any more of my scripts that
you remove my email address from the pasted output, it helps with
keeping the spam to a minimum ... thanks!
So let's get a few more details - one of the forests is running in
Windows 2000 mode which could indicate the presence of Windows 2000 DCs,
is this the case?
How many users (roughly) exists in each domain in each of the two
forests?
How many users have been or will be migrated?
Are you trying to consolidate two domains or perhaps even the the two
forests?
I doubt your problem is SID filtering but let's qualify that; you've
migrated users from one domain in one forest to a domain in the other
forest -- is the exmaple migrated user that's causing this problem
trying to access resources in the domain they were migrated from or in
the domain they now exist in?
We can also further determine the details of this aspect of your
configuration by using trustdump again from
ftp://falcon.msetechnology.com/scripts/trustdump.cmd.txt
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l
"Peter" <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4DF9A284-D9B6-4588-8870-99E885DF699F@xxxxxxxxxxxxxxxx
Hi Dean,
thanks for your input. I run the Fll on the involved forests to give
you
more details. Also you should know that the migration take place
between
SMT711.PAWORLD.NET and SMT811.qaworld.net. Between these two domains a
two
way trust exists. Without SID-Filtering enabled!
Any idea welcome.
Peter
PS: In this paper http://support.microsoft.com/kb/893191/en-us MS
explained
something which looks like my problem. But SID-Filtering on the trusts
is
disabled!
FLL V1.1 / Dean Wells - March 2006
STATUS - Determining configuration for Forest: DC=qaworld,DC=net
- number of Domains: 3
- schema revision : 30
Forest: qaworld.net
- functional level: Windows 2000 [0]
Domain: qaworld.net
- functional level: Windows 2003 Native [2]
Domain: SMT811.qaworld.net
- functional level: Windows 2003 Native [2]
Domain: SMT812.qaworld.net
- functional level: Windows 2000 [0] / Mixed
Done.
FLL V1.1 / Dean Wells - March 2006
STATUS - Determining configuration for Forest: DC=paworld,DC=net
- number of Domains: 3
- schema revision : 30
Forest: paworld.net
- functional level: Windows 2003 Native [2]
Domain: PAWORLD.NET
- functional level: Windows 2003 Native [2]
Domain: SMT711.PAWORLD.NET
- functional level: Windows 2003 Native [2]
Domain: SMT712.PAWORLD.NET
- functional level: Windows 2003 Native [2]
Done.
"Dean Wells (MVP)" wrote:
It's almost certainly (~ since I've not tested this) because the
Domain
User's group is, by default, everyone's primary group and is
therefore
handled very differently. In fact, users don't even exist as members
per se in their designated primary group (it's a one way relationship
maintained on the user alone within the primaryGroupID attribute and
targets the group by its RID.) My guess is that the code path used
to
tack on the primary group's SID during token construction doesn't
honor
its sIDHistory.
I've got some concerns about volunteering a solution before knowing
what
functional levels are in play here (if you're uncertain, download
fll.cmd from ftp://falcon.msetechnology.com/scripts/fll.cmd.txt and
run
it, paste back the results; it expects the forest root FQDN as the
only
argument)?
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l
"Peter" <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F6E80412-E17F-4C10-9FD9-E4A94E76D9EB@xxxxxxxxxxxxxxxx
Hello Everybody,
Is someone able to explain me the difference between usind
sidHistory
for a
'normal' group and the DomainUsers group. In my migration test
between
two
domains in different forests the sidHistory for accounts and groups
work
perfect. Only access which was granted for 'domain users' dosn't
work.
The
sidHistory attribute of the 'domain users' group in the target
domain
is
filled with the sid of the 'domain users' group of the source
domain.
Thanks
Peter
- Follow-Ups:
- Re: sidHistory and DomainUsers
- From: Dean Wells \(MVP\)
- Re: sidHistory and DomainUsers
- References:
- sidHistory and DomainUsers
- From: Peter
- Re: sidHistory and DomainUsers
- From: Dean Wells \(MVP\)
- Re: sidHistory and DomainUsers
- From: Peter
- Re: sidHistory and DomainUsers
- From: Dean Wells \(MVP\)
- sidHistory and DomainUsers
- Prev by Date: How find user "user1" in multi domain environ through programming
- Next by Date: Re: question about domain trusts and firewall ports
- Previous by thread: Re: sidHistory and DomainUsers
- Next by thread: Re: sidHistory and DomainUsers
- Index(es):
Relevant Pages
|
