RE: ADMT - SID History Issues, Cannot access resources in old doma
From: Luke Fogarty (LukeFogarty_at_discussions.microsoft.com)
Date: 12/06/04
- Next message: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
- Previous message: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
- In reply to: Rebecca Chen [MSFT]: "RE: ADMT - SID History Issues, Cannot access resources in old domain"
- Next in thread: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 6 Dec 2004 15:35:05 -0800
What is the error message when you access the old domain A shares? Have you
grant the group permission to the shares instead of the individual user?
[Luke Fogarty] \\server\resource is not accessable. You might not have
permission to use this network resource. Contact the administrator of this
server to find out if you have access permissions.
Access is denied.
As I know, this issue may occur if you grant a group, which has the user
account, the permission to access the old resource. After you migrate the
user to the new domain, they are not part of the old group so that they lost
the permission to access the old resource.
Please check the share permission and NTFS permission of the old resource
and let me know if you grant the permission to the user directly.
[Luke Fogarty]
I created two new shares on domaina with the share permissions of
domaina\rhondah (full control) and NTFS permissions of domaina\rhondah (full
control) and the second with share and NTFS permissions for a group rhondah
is a member of.
I still get the same error message as above.
If this is the issue, we need to re-ACL the resources.
[Luke Fogarty]
It doesn't look like the issue, so I haven't re-ACLed any resources at this
stage.
Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
Fortunately, we are able to use Security Translation Wizard with a SID
Mapping file to add the NewDomain\"Domain Users" group''s SID to the
resources.
[Luke Fogarty]
I'm sure I could get access if I run the security translation wizard on the
servers, but as far as I know I shouldn't have to? SID history is supposed to
allow access to old resources. This is how I've used it in the past.
To do so:
sec
1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
return content, we can find the SID of OldDomain\"Domain Users". Please use
this method to get the SID of NewDomain\"Domain Users".
Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
do not have it, please let me know.
2. Create a SID mapping file (should be a txt file). We can name it
sidmapping.txt.
3. Edit the SID mapping file in Notepad and input the following content:
<SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
Note: Please put the correct SIDs in the above line.
4. Run ADMT, choose "Security Translation Wizard".
5. On the "Security Translation Options" page, choose "Other objects
specified in a file" and browse to select the sidmapping.txt file created in
Step 2.
6. Follow the wizard to translate resources on ServerA.
7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
As for the roaming profile issue, I suggest you check if the issue occurs on
all the Windows 2000 computers with different user accounts. If so, please
send the Event Viewer logs of a Windows 2000 computer to me.
[Luke Fogarty] I'm not having any roaming profiles issues at this stage.
Exchange permissions are setup for the account "SELF" on each user/mailbox.
- Next message: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
- Previous message: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
- In reply to: Rebecca Chen [MSFT]: "RE: ADMT - SID History Issues, Cannot access resources in old domain"
- Next in thread: Luke Fogarty: "RE: ADMT - SID History Issues, Cannot access resources in old doma"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
