Re: ADMTv2 questions

From: Bob Qin [MSFT] (bobqin_at_online.microsoft.com)
Date: 08/17/04 

Date: Tue, 17 Aug 2004 12:27:29 GMT

Hi Dave,

In fact, the only valuable thing is SIDhistroy when you merge a user
account to another one. So that the target domain user can access the
resourses which only the source domain user has permission. I recommend
that you try the Security Translation Wizard and SID mapping file, and it
is very easy to use.

The content of SID mapping file should be like below.

<SID of OldDomain\User>, <SID of NewDomain\Users>

Note: Please put the correct SIDs in the above line.

You can try the following content in your newSIDmapping.txt file.

S-1-5-21-1455768706-307569249-355810188-513,
S-1-5-21-3050163103-1507591125-1671999219-513

You can run in different modes to accommodate different scenarios (Replace,
Add, and Remove). Security Translation is capable of updating most common
resources automatically, and is also configurable by the administrator.

Also, you can just change the user in target domain (joe2) to joe1, then
try another very cool tool called SubInACL to modify the resources.

For example, we can run the following command on a file server:

subinacl /subdirectories <Path>\*.*
/migratetodomain=OLDDOMAIN=NEWDOMAIN

Note:

1. The above command will check all ACEs. For example, for an ACE for
OLDDOMAIN\Joe1 if the NEWDOMAIN\Joe1 account exists, this tool will add a
new ACE for NEWDOMAIN\JOHNDOE.

2. The ACEs for the OLDDOMAIN domain will be preserved. If you want to
replace the account, please use another switch /changedomain:

subinacl /subdirectories <Path>\*.* /changedomain=OLDDOMAIN=NEWDOMAIN

3. A trust between the two domains is needed.

4. For more information about this tool, please refer to the Resource Kit
Tool Help, or run the following command:

SubInAcl /help /full

Thank you and have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
      From: "=?Utf-8?B?ZGRvb3JsYWc=?=" <ddoorlag@discussions.microsoft.com>
      Subject: Re: ADMTv2 questions
      Date: Mon, 16 Aug 2004 06:09:02 -0700
      Newsgroups: microsoft.public.windows.server.migration
      
      Hi Bob,
      
      THANKS for the information... I'll look it over...
      
      My meaning of Merge is to take an NT4 account (joe1) and merge the
account
      (sid history/etc.) into a currently existing AD domain with a
currently
      existing AD Account (joe2)... (ie. differant names).
      
      As I see it with ADMT you can COPY the NT4 account over, but you have
no way
      to "merge" the NT4 account with a currently existing AD account...
      
      TRUE/FALSE ??
      
      "Bob Qin [MSFT]" wrote:
      
> Hi Dave,
>
> Thanks for your posting here.
>
> What is your meaning of "merge" two users? What thing do you want
to merge?
> What is your fianl purpose?
>
> Here are some documents that will be helpful.
>
> HOW TO: Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003
Migration
> http://support.microsoft.com/?id=325851
>
> Domain Migration Cookbook
>
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookboo
> k/cookintr.asp>
>
> Planning Migration from Windows NT to Windows 2000
>
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtech
> nol/ad/windows2000/plan/migntw2k.asp>
>
> Have a nice day!
>
> Regards,
> Bob Qin
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================
> When responding to posts, please "Reply to Group" via your
newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> --------------------
> From: "=?Utf-8?B?ZGRvb3JsYWc=?="
<ddoorlag@discussions.microsoft.com>
> Subject: Re: ADMTv2 questions
> Date: Fri, 13 Aug 2004 12:27:03 -0700
> Newsgroups: microsoft.public.windows.server.migration
>
> THANKS...
>
> We're still debating if there's a way around this.. but yes
the users
> DO
> have accounts in both the AD domain and their "soon to be
migrated to
> AD" NT4
> Domain, and I know with a 3rd party Migration tool you can
merge
> these
> accounts (some type of mapping), but I was just hoping ADMTv2
had
> some method
> to allow this type of "merge"... but everything I've read
seems to
> indicate
> it will either COPY it, or if there is a conflict it can
"overlay"
> the
> account, but I don't see any way to "merge" these accounts..
> If someone can still verify, it would be appreciatted.. OR if
someone
> has
> experience with a 3rd party tool that CAN merge NT4 --> AD
account
> I'd be
> interested in hearing your results..
>
> THANKS
>
> "mote" wrote:
>
> > If memory serves correctly, I don't believe this is
possible.
> > ADMT clones accounts during an Inter-forest migration and
> > moves accounts during an intra-forest migration. Do you have
> > a very valid reason for merging accounts?
> >
> >
> > "ddoorlag" <ddoorlag@discussions.microsoft.com> wrote in
message
> > news:543068A2-0DEA-42E7-B999-9EE82FADDE27@microsoft.com...
> > > THANKS..... Any idea's on if you can merge account1 (from
the NT
> domain)
> > to
> > > account2 (that currently exist in the AD domain) ?? I
don't
> really want to
> > > waste my time with ADMTv2 if it can't merge accounts in
this way..
> > >
> > > THANKS
> > > Dave
> > >
> > > "mote" wrote:
> > >
> > > > The readme Doc file and the help file (DomainMig.chm)
that
> accompany the
> > > > download are your best source.
> > > >
> > > > Cheers
> > > >
> > > >
> > > >
> > > > "ddoorlag" <ddoorlag@discussions.microsoft.com> wrote
in message
> > > >
news:C7374534-BCAA-43DE-8D51-D4288F898D86@microsoft.com...
> > > > > Questions regarding ADMTv2.
> > > > >
> > > > > 1) Where can I find useful documentation regarding
the tool ??
> > > > >
> > > > > 2) Will the ADMTv2 tool "merge" user accounts (JoeNT
needs to
> be
> > merged
> > > > with
> > > > > Joe account in our current AD environment). I don't
see where
> this can
> > be
> > > > > done in the looking I've done..
> > > > >
> > > > > THANKS
> > > > > Dave
> > > > >
> > > >
> > > >
> > > >
> >
> >
> >
>
>
>
      

Relevant Pages

  • Re: ADMTv2 questions
    ... > account to another one. ... > resourses which only the source domain user has permission. ... > The content of SID mapping file should be like below. ... The ACEs for the OLDDOMAIN domain will be preserved. ...
    (microsoft.public.windows.server.migration)
  • Re: Share Permissions and Security Groups
    ... >> storage on a member server. ... >> If the account is in no group that directly or indirectly has been ... >> resources that are controlled and add the groups of principals ... > From your comments I ensure that each Project Folder NTFS does not inherit ...
    (microsoft.public.security)
  • Re: What is the difference between logging into an AD Domain versus connecting to network resource?
    ... To use resources you are alway authenticated first, ... check to see if this "you" (the authenticated account) ... When one has logged into a domain member with a local ... issues an authentication prompting). ...
    (microsoft.public.windows.server.security)
  • Re: Running a program with elevated priveleges
    ... An ignorant admin doesn't need developer help to wreak ... that the alteration of the identity account for an existing COM+ application ... permissions to only the resources that are actually used by the application. ...
    (microsoft.public.dotnet.security)
  • [RFC][PATCH] UBC: user resource beancounters
    ... UBC allows to account and control consumption ... of kernel resources used by group of processes. ...
    (Linux-Kernel)