RE: ADMT - SID History Issues, Cannot access resources in old doma

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Rebecca Chen [MSFT] (v-rebc_at_online.microsoft.com)
Date: 12/07/04 

Date: Tue, 07 Dec 2004 08:11:09 GMT

From: =?Utf-8?B?THVrZSBGb2dhcnR5?= <Luke Fogarty@discussions.microsoft.com>
Subject: RE: ADMT - SID History Issues, Cannot access resources in old doma
Date: Mon, 6 Dec 2004 14:51:06 -0800
Newsgroups: microsoft.public.windows.server.migration

What is the error message when you access the old domain A shares? Have you
grant the group permission to the shares instead of the individual user?

[Luke Fogarty] \\server\resource is not accessable. You might not have
permission to use this network resource. Contact the administrator of this
server to find out if you have access permissions.

Access is denied.

As I know, this issue may occur if you grant a group, which has the user
account, the permission to access the old resource. After you migrate the
user to the new domain, they are not part of the old group so that they
lost
the permission to access the old resource.

Please check the share permission and NTFS permission of the old resource
and let me know if you grant the permission to the user directly.

[Luke Fogarty]

I created two new shares on domaina with the share permissions of
domaina\rhondah (full control) and NTFS permissions of domaina\rhondah
(full
control) and the second with share and NTFS permissions for a group rhondah
is a member of.

I still get the same error message as above.

If this is the issue, we need to re-ACL the resources.

[Luke Fogarty]

It doesn't look like the issue, so I haven't re-ACLed any resources at this
stage.

Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate it.
Fortunately, we are able to use Security Translation Wizard with a SID
Mapping file to add the NewDomain\"Domain Users" group''s SID to the
resources.

[Luke Fogarty]

I'm sure I could get access if I run the security translation wizard on the
servers, but as far as I know I shouldn't have to? SID history is supposed
to
allow access to old resources. This is how I've used it in the past.

To do so:
sec
1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
return content, we can find the SID of OldDomain\"Domain Users". Please use
this method to get the SID of NewDomain\"Domain Users".

Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
do not have it, please let me know.

2. Create a SID mapping file (should be a txt file). We can name it
sidmapping.txt.

3. Edit the SID mapping file in Notepad and input the following content:

<SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">

Note: Please put the correct SIDs in the above line.

4. Run ADMT, choose "Security Translation Wizard".

5. On the "Security Translation Options" page, choose "Other objects
specified in a file" and browse to select the sidmapping.txt file created
in
Step 2.

6. Follow the wizard to translate resources on ServerA.

7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.

As for the roaming profile issue, I suggest you check if the issue occurs
on
all the Windows 2000 computers with different user accounts. If so, please
send the Event Viewer logs of a Windows 2000 computer to me.

[Luke Fogarty] I'm not having any roaming profiles issues at this stage.
Exchange permissions are setup for the account "SELF" on each user/mailbox.

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: ADMT - SID History Issues, Cannot access resources in old
doma
>thread-index: AcTb88BilS95Tn8nSeO8sOymzvtGHQ==
>X-WBNR-Posting-Host: 61.88.56.180
>From: =?Utf-8?B?THVrZSBGb2dhcnR5?= <LukeFogarty@discussions.microsoft.com>
>References: <90b59465.0412051602.41d705bf@posting.google.com>
<Ox4ngZ32EHA.4068@cpmsftngxa10.phx.gbl>
>Subject: RE: ADMT - SID History Issues, Cannot access resources in old doma
>Date: Mon, 6 Dec 2004 16:29:02 -0800
>Lines: 88
>Message-ID: <9275C648-02F6-4538-A8F4-223A5ACC3C48@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.migration
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:15797
>X-Tomcat-NG: microsoft.public.windows.server.migration
>
>What is the error message when you access the old domain A shares? Have
you
>grant the group permission to the shares instead of the individual user?
>
>
>[Luke Fogarty] \\server\resource is not accessable. You might not have
>permission to use this network resource. Contact the administrator of this
>server to find out if you have access permissions.
>
>Access is denied.
>
>
>As I know, this issue may occur if you grant a group, which has the user
>account, the permission to access the old resource. After you migrate the
>user to the new domain, they are not part of the old group so that they
lost
>the permission to access the old resource.
>
>Please check the share permission and NTFS permission of the old resource
>and let me know if you grant the permission to the user directly.
>
>
>[Luke Fogarty]
>
>I created two new shares on domaina with the share permissions of
>domaina\rhondah (full control) and NTFS permissions of domaina\rhondah
(full
>control) and the second with share and NTFS permissions for a group
rhondah
>is a member of.
>
>I still get the same error message as above.
>
>
>If this is the issue, we need to re-ACL the resources.
>
>
>[Luke Fogarty]
>
>It doesn't look like the issue, so I haven't re-ACLed any resources at
this
>stage.
>
>Since OldDomain\User1 is a built-in group we cannot use ADMT to migrate
it.
>Fortunately, we are able to use Security Translation Wizard with a SID
>Mapping file to add the NewDomain\"Domain Users" group''s SID to the
>resources.
>
>[Luke Fogarty]
>
>I'm sure I could get access if I run the security translation wizard on
the
>servers, but as far as I know I shouldn't have to? SID history is supposed
to
>allow access to old resources. This is how I've used it in the past.
>
>
>
>
>To do so:
>sec
>1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
>Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
>return content, we can find the SID of OldDomain\"Domain Users". Please
use
>this method to get the SID of NewDomain\"Domain Users".
>
>Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If
you
>do not have it, please let me know.
>
>2. Create a SID mapping file (should be a txt file). We can name it
>sidmapping.txt.
>
>3. Edit the SID mapping file in Notepad and input the following content:
>
><SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">
>
>Note: Please put the correct SIDs in the above line.
>
>4. Run ADMT, choose "Security Translation Wizard".
>
>5. On the "Security Translation Options" page, choose "Other objects
>specified in a file" and browse to select the sidmapping.txt file created
in
>Step 2.
>
>6. Follow the wizard to translate resources on ServerA.
>
>7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.
>
>As for the roaming profile issue, I suggest you check if the issue occurs
on
>all the Windows 2000 computers with different user accounts. If so, please
>send the Event Viewer logs of a Windows 2000 computer to me.
>
>[Luke Fogarty] I'm not having any roaming profiles issues at this stage.
>Exchange permissions are setup for the account "SELF" on each user/mailbox.
>
>

Relevant Pages

  • Re: ADMT/Sidhistory not working
    ... Not unless you are using the account from the old domain. ... you need to grant your "new" groups in the new domain the permissions on the ... permissions to resources in the OLD domain. ... sid history, you are using the old user account, and thus the old sid. ...
    (microsoft.public.windows.server.active_directory)
  • Re: merge two domains
    ... My external 'consultants' have recommended me to: ... -duplicate the permission with new groups on existing folder that already ... Migrate resources form domain A to be or from B to A (it depends on ... > You during the migration phase. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security issues with local filesystem caching
    ... kernel module can naturally bypass SELinux at will. ... approach vs. exempting the module from SELinux checking via a task flag ... motivated the approach of substituting a different SID for the ... permission checks vs. using a task flag to disable the permission ...
    (Linux-Kernel)
  • Re: SID filtering confusion??
    ... If I understand your scenario correctly, you have enabled SID filtering and ... > SID ... > NT domain still has resources (files shares, printers, Exchange mailboxes, ... > SID filtering is enabled on this two way trust. ...
    (microsoft.public.win2000.active_directory)
  • Re: ADMT/Sidhistory not working
    ... permissions to resources in the OLD domain. ... sid history, you are using the old user account, and thus the old sid. ... Now, when I used ADMT to copy the groups and users, inclusing SIDS, I had ...
    (microsoft.public.windows.server.active_directory)