Windows Server

James Fong · Guest

performing interforest migration from forest A to forest B.
Resource A in Domain A in forest A is granted permission to Domain Users.
After migrating user A from Domain A in forest A to Domain Z in forest B,
user cannot access the resource A when logon to Domain Z in forest B.
SID history is turned on during migration. SID filtering is disabled
between domain A and Domain Z.
But if Resource A is granted permission to global Group A. User A is made a
member of group A. Migrate user A and Group A to Domain Z in forest B. Then
user A when logon to Domain Z can access resource B by using the SID history.
Obviously one solution is to add all users in Domain A to group A and
re-configure resource permissions to grant access to group A. But that means
changing permission on thousands of resources.
What is a better way to migrate users/groups so resrouces with permissions
granted to Domain Users in source domain can be accessed by migrated users in
the target domain?

Rebecca Chen [MSFT] · Guest

Hi James,

This is a known behavior. Domain user group is different between global
group. Since OldDomain is a built-in group we cannot use ADMT to migrate
it. Fortunately, we are able to use Security Translation Wizard with a SID
Mapping file to add the NewDomain\"Domain Users" group''s SID to the
resources.

To do so:

1. Get the SIDs of both OldDomain\"Domain Users" and NewDomain\"Domain
Users". We can logon as OldDomain\User1, run "whoami.exe /all". From the
return content, we can find the SID of OldDomain\"Domain Users". Please use
this method to get the SID of NewDomain\"Domain Users".

Note: whoami.exe is an utility from Windows 2000 Resource Kit Tools. If you
do not have it, please let me know.

2. Create a SID mapping file (should be a txt file). We can name it
sidmapping.txt.

3. Edit the SID mapping file in Notepad and input the following content:

<SID of OldDomain\"Domain Users">, <SID of NewDomain\"Domain Users">

Note: Please put the correct SIDs in the above line.

4. Run ADMT, choose "Security Translation Wizard".

5. On the "Security Translation Options" page, choose "Other objects
specified in a file" and browse to select the sidmapping.txt file created
in Step 2.

6. Follow the wizard to translate resources on ServerA.

7. Please check if the NewDomain\User1 has access to <\\ServerA\Share>.

As for the roaming profile issue, I suggest you check if the issue occurs
on all the Windows 2000 computers with different user accounts. If so,
please send the Event Viewer logs of a Windows 2000 computer to me.

Step 1: Click Start, click Run, and then type "eventvwr" (without the
quotation
marks), click OK.

Step 2: Right-click Application and select Save Log File As.

Step 3: Save it Application.evt.

Step 4: Repeat step 1 to 3 to save the Security and System event to
Security.evt
and System.evt.

Step 5: Delete all the Application, Security and System log in the Event
Viewer.

Step 6: Restart the computer. When the issue occurs, save the new
Application, Security and System log to three new files and send them to me
at v-rebc@microsoft.com.

HTH!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1