Windows Server

TrutweinA · Guest

Hi,

Question... Imagine the scenario that you have 2 domains, NT4 and 2003 AD.

A file server is sitting in the new AD domain. You set the permissions on a
users folder for both the old domain and the new domain (yes there is a trust
relationship in place!) should the permissions be automatically change to
just the 2003 permissions and the old NT4 user account be removed (from the
acl list) because it should be using SID history? Or will this have no
effect because its file based permissions and not directory based?

So will the end result will be just the 2003 domains user account with
permissions... if the user (in the old domain) tries to access the folder
will it use SID history and grant the permissions?

Thanks
Adam

Frances [MSFT] · Guest

Hello Adam,

Thanks for your email.

I am not very clear about your question. What do you mean by "file based
permissions" and "directory based permissions"?

Generally speaking, SID history is used for migrated users to access the
resources in the source domain. It is an interim method in the migration
process, and is particularly useful when the users and groups have been
migrated to the target domain while the resources are still in the source
domain.

Regarding your scenario, for example, let us name the NT domain NTdom, and
the win2k3 domain Windom. There is User1 in NTdom, and he has been migrated
to Windom with SID history, named User1. A file server is in the Windom. On
one users' folder on the file server, you set the permissions to both
NTdom\User1 and Windom\User1.

Q1. Should the permissions be automatically change to
just the 2003 permissions and the old NT4 user account be removed (from the
acl list) because it should be using SID history? Or will this have no
effect because its file based permissions and not directory based?

A: The permissions will not automatically change to just the 2003
permission. If you remove NTdom\User1 manually, the user will not access
the folder any more.

Q2. So will the end result will be just the 2003 domains user account with
permissions... if the user (in the old domain) tries to access the folder
will it use SID history and grant the permissions?

A: The NTdom\User1 will not use SID history and get permission to access
the share if you remove NTdom\User1 manually. Actually, I think in this
scenario, SID history is not used.

When you migrate user accounts with SID history, for example, from
NTdom\User1 to Windom\User1, Windom\User1 will have an attribute
sIDHistory, which includes the SID of NTdom\User1. When Windom\User1 tries
to access resources in NTdom, his token will include the SID of
NTdom\User1, which helps him to access resources that permits NTdom\User1
to access. On the other hand, NTdom\User1 does not have the sIDHistory
attribute, so he can not access the resources which he has not given
permission.

In addition, SID history is only a temporary workaround in the migration
process. It will raise potential risks and make the user's token very
large. So when the migration is completed and the resources have been
migrated to the new domain, SID history is recommended to be removed.

The following article may offer you more information about SID history.

Using SID History to Preserve Resource Access
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/dssbi_reer_qdhe.asp

Hope it helps. If you have any further questions don't hesitate to get in
touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

TrutweinA · Guest

thanks for this Frances... I thought that might be the case. We are seeing
something strange happen in our Turkey Office, whereby we are permissioning
with both the 2K3 domain account and the NT4 domain account and then after a
while the NT4 account disappears from the ACL list! At the moment we are
migrating 250 users from the NT domain to the AD (well, the users are already
migrated, we are just in the process of changing their samaccountnames and
cn's) and reapplying both sets of permissions (nt4 account and 2k3 account)
to the users folder... ill post back and let you know if the nt4 account
disappears again... but i remember when we did this in pilot and the nt4
account vanished from the acl list... very odd!

Many Thanks
Adam

"Frances [MSFT]" wrote:

Frances [MSFT] · Guest

Hello Adam,

Thanks for your post.

According to your description, it is really very odd. However, I have some
questions to confirm my understanding of the situation.

Q1. Where do you see the ACL list, from a command line or the user
interface? Is the ACL list you mentioned the list for a folder?

Q2. Do you change the samaccountnames and cn in a batch file? What command
do you use?

Please take a screen shot of the ACL, which can show the result after the
accounts disappear. Also take a screen shot of the normal behavior before
the accounts disappear.

I would like to confirm that what you find is the NT4 accounts disappear
and no other accounts appear twice. Is that correct? It is probably that
the 2k3 accounts appear twice due to the sIDHistory enabled. I will further
explain it in an example.

NOTE: The user account is user1, the NT domain called Domain, and
destination is Win2k3Dom.

When you migrate user1 from Domain to Win2k3Dom, it is possible that
Win2k3\user1 is displayed twice.

This is because when you see the ACL, the system will query who has the
permission to access the resource. Domain\user1 is stored as SID instead of
its friendly name "Domain\user1". When the system checks the SID, it finds
two SIDs of "Domain\user1", one SID is from the old domain and another SID
is from the new domain (in the sIDHistory attribute of Win2k3Dom\user1).
SIDs are broadcasted in the network and find the server which will response
to give the friendly name.

Technically speaking, the nearest DC will respond to this broadcast and
translate both SID to "Win2k3Dom\user1" since the server only recognizes
the friendly name within its own domain.

I suggest that you have a look at the post titled "GPMC Migration table
populate with wrong source name", it may give you some clues about the
situation of double display names.

If you have any further questions don't hesitate to get in touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

TrutweinA · Guest

Hi Frances,

A1. If I execute the xcacls on a users home folder it gives me: (using the
example domain name not the real one!)

WIN2K3DOM\abelkis:(OI)(CI)C
WIN2K3DOM\abelkis:(OI)(CI)C
BUILTIN\Administrators:(OI)(C
BUILTIN\Administrators:(OI)(I
BUILTIN\Administrators:(CI)F
BUILTIN\Administrators:(OI)(I
BUILTIN\Administrators:(CI)F

If I look at the ACL list from Windows it gives me:

Example User (Example.User@company.com) - Modify
Example User (Example.User@company.com) - Modify
Administrators (Localserver\Administrators) - Full Control

When it is generating the ACL list, I can see the sid's for a brief moment
and they are different for both user accounts.

The permissions were set on the users home folder using FILEACL and they
were the user in the WIN2K3DOM modify, the user in the NT domain modify and
local admins full control.

A2. The cn and samaccountname are changed using standard VBscript.

Think you have hit the nail on the head though! I shall have a look at that
document regarding duplicate friendly names.

Many Thanks for you help in this!

Kind Regards
Adam

"Frances [MSFT]" wrote:

Frances [MSFT] · Guest

Hello Adam,

According to your information, I believe it is a problem regarding
duplicated friendly names. The duplicated names actually refer to two
different SIDs, one for the NT user, and the other for win2k3 user.

This is a normal behavior so please don't worry about it. If you don't want
to keep SIDhistory anymore, please use clearsid.vbs script to achieve this
goal.
Please NOTE: You can not retrieve the SID removed after running
clearsid.vbs.

How To Use Visual Basic Script to Clear SidHistory
http://support.microsoft.com/default.aspx?scid=kb;en-us;295758

Any update, let us get in touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1