Re: Weird post ADMT Problem....accesing old file shares.

Hi,

Have you checked sid filtering, on an external trust this is enabled by
default.


http://technet.microsoft.com/en-us/library/cc772816.aspx


Regards,

"Marcin" wrote:

Colin,
Any chance you have conflicting permissions (Access Denied) assigned to the
user from DomainA (or one of the groups this user is a member of) on your
existing shares?

hth
Marcin

<colin.laurie@xxxxxxxxxxxxxx> wrote in message
news:d358e9f5-4ede-4378-9275-eb73f82fe1f7@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi All.

I have two 2003 domains with an external trust. That has been in place
for some time. All fine.

I have domain A (target) and domain B (source). I am starting to test
migrating groups from domain B to A.

I have used ADMT with SID History enabled to migrate groups from B to
A. This seems to have worked fine.

Some of the groups from Domain B (source) have NTFS permissions
assigned on file shares on that domain, domain B.

As my groups that i have migrated from domain B now exist in the
target Domain A, i should therfore be able to add users from Domain A
to the migrated group from Domain B - This will allow me to continue
to access a file share resource in Domain B.

To test this i log on to a computer in Domain A and try to access a
file share in Domain B. The logon account is a member of the correct
group. The result is that this wil fail, with an access denied error.
However if i create a new share (instead of using an existing share)
and permission it corectly i can access this share.

So, to summarise it seems that the SID history is only wortking when
attempting to connect to a newly created folder/share but for some
reason not on existing/older folders.

I am totally stumped with this one.

Any suggestion will be appreciated, thanks in advance!

Colin.



.

Relevant Pages

  • Re: Access is denied to this object
    ... sid wrote: ... I did not any issues with FileMon, but RegMon did find these two calls: ... Isaac Perez Moncho wrote: ... The call to Server.CreateObject failed while checking permissions. ...
    (microsoft.public.scripting.vbscript)
  • Re: ACLs and permissions viewed after Migrating from NT 4 domain... The twilight zone?
    ... And if I decomission the old NT4 domain this should ... (the little problem I have noticed is that if you give permissions to both ... > to the new w2k user's sid history. ... > it also checks the sid history when attempting to crack a sid to a user. ...
    (microsoft.public.win2000.security)
  • Re: Help removing unresolved SIDs from NTFS permissions...
    ... if you're using Domain groups/users or Built-in groups. ... option of /remove:to remove any permissions granted or denied to ... a specific SID. ... But we aren't needing to replace SIDs. ...
    (microsoft.public.windows.server.general)
  • Re: Disaster Recovery Scenario Help
    ... Right...I understand the concept of the SID... ... assign them permissions, then what would be affected by the SID change other ... >>> promote the DR servers into DCs? ... In that case restoring DCs ...
    (microsoft.public.windows.server.active_directory)
  • RE: External Trust and Sid Filtering...
    ... is irrelevant since there will be no SID History for these groups. ... SID History is irrelevant and SID Filtering will have no effect. ... I would like to create an external trust with another domain. ...
    (microsoft.public.windows.server.active_directory)