problem migrating security settings via ADMT

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have migrated all groups and users from one domain to another using ADMT v
2.0. After migrating a single computer that's a member server of the source
domain and shutting the source domain controller down, I noticed that if I
open any of the migrated computer's file's properties and go to the security
tab, where it originally had references to the source domain's BUILTIN
groups, those references are displayed as a chain of dashed numbers (SID).
Then after a while the SIDs disappear and in place there are regular names
indicating their origin of the source domain.


The Builtin Group reference in the ACL of the member server never migrates
to the Builtin Group in the target domain?


Does anybody know if this is the way ADMT works or is it a bug?


Thanks.


--
Victor
2 answers Last reply
More about problem migrating security settings admt
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    In news:%2347wYMmuFHA.3864@TK2MSFTNGP12.phx.gbl,
    v yelsukov <please@postinnewsgroup> made this post, which I then commented
    about below:
    > I have migrated all groups and users from one domain to another using
    > ADMT v
    > 2.0. After migrating a single computer that's a member server of the
    > source domain and shutting the source domain controller down, I
    > noticed that if I open any of the migrated computer's file's
    > properties and go to the security tab, where it originally had
    > references to the source domain's BUILTIN groups, those references
    > are displayed as a chain of dashed numbers (SID). Then after a while
    > the SIDs disappear and in place there are regular names indicating
    > their origin of the source domain.
    >
    >
    >
    > The Builtin Group reference in the ACL of the member server never
    > migrates to the Builtin Group in the target domain?
    >
    >
    >
    > Does anybody know if this is the way ADMT works or is it a bug?
    >
    >
    >
    > Thanks.

    Built in groups won't migrate if I remember correctly. I usually don't even
    select them, but going on memory, I do not even believe they show up as an
    option to migrate in ADMT. If using user or group accounts from the domain
    adding them to the builtin groups on a member server, I believe you will
    need to re-establish them by adding the new domain's accounts.

    --
    Regards,
    Ace

    If this post is viewed at a non-Microsoft community website, and you were to
    respond to it through that community's website, I may not see your reply.
    Therefore, please direct all replies ONLY to the Microsoft public newsgroup
    this thread originated in so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    =================================
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "" wrote:
    > I have migrated all groups and users from one domain to
    > another using ADMT v
    > 2.0. After migrating a single computer that's a member server
    > of the source
    > domain and shutting the source domain controller down, I
    > noticed that if I
    > open any of the migrated computer's file's properties and go
    > to the security
    > tab, where it originally had references to the source domain's
    > BUILTIN
    > groups, those references are displayed as a chain of dashed
    > numbers (SID).
    > Then after a while the SIDs disappear and in place there are
    > regular names
    > indicating their origin of the source domain.
    >
    >
    >
    > The Builtin Group reference in the ACL of the member server
    > never migrates
    > to the Builtin Group in the target domain?
    >
    >
    >
    > Does anybody know if this is the way ADMT works or is it a
    > bug?
    >
    >
    >
    > Thanks.
    >
    >
    > --
    > Victor

    you said you have shutdown the old domain’s DCs. This is normal
    behaviour what you experience as I assume you migrated users and
    groups with sidhistory and you migrated data protected by global in
    the old domain but did not re-acl the data.

    Reason:
    Because the old domain is not available when you open the ACL editor
    you first will see SIDs. If you did not migrate with sidhistory you
    still would see SIDs and that would not change. If you migrated with
    while the data was migrated with the old domain’s SIDs it will still
    show if the data has ACEs from the new domain. THAT IS NOT TRUE!!! As
    you migrate the data it depends on the tool and the options chosen if
    the ACLs also get migrated.
    In your case with sidhistory you will see ACLs with newdomain. If you
    remove sidhistory (as in clean it) you would then see the olddomain.

    So when migrating data and users and groups using sidhistory you need
    to:
    * migrate groups, users, memberships WITH sidhistory
    * migrate data to a new server or just migrate the server
    * Re-ACL the data so the olddomain ACEs are changed to newdomain ACEs
    * Cleanup sidhistory (recommended!)

    Sidhistory should only be used temporary for migration purposes!

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Active-Directory-problem-migrating-security-settings-ADMT-ftopict421926.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1411227
Ask a new question

Read More

Domain Security Active Directory Windows