Sign in with
Sign up | Sign in
Your question

problem migrating security settings via ADMT

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
September 15, 2005 11:01:09 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have migrated all groups and users from one domain to another using ADMT v
2.0. After migrating a single computer that's a member server of the source
domain and shutting the source domain controller down, I noticed that if I
open any of the migrated computer's file's properties and go to the security
tab, where it originally had references to the source domain's BUILTIN
groups, those references are displayed as a chain of dashed numbers (SID).
Then after a while the SIDs disappear and in place there are regular names
indicating their origin of the source domain.



The Builtin Group reference in the ACL of the member server never migrates
to the Builtin Group in the target domain?



Does anybody know if this is the way ADMT works or is it a bug?



Thanks.


--
Victor
Anonymous
a b 8 Security
September 16, 2005 3:54:42 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:%2347wYMmuFHA.3864@TK2MSFTNGP12.phx.gbl,
v yelsukov <please@postinnewsgroup> made this post, which I then commented
about below:
> I have migrated all groups and users from one domain to another using
> ADMT v
> 2.0. After migrating a single computer that's a member server of the
> source domain and shutting the source domain controller down, I
> noticed that if I open any of the migrated computer's file's
> properties and go to the security tab, where it originally had
> references to the source domain's BUILTIN groups, those references
> are displayed as a chain of dashed numbers (SID). Then after a while
> the SIDs disappear and in place there are regular names indicating
> their origin of the source domain.
>
>
>
> The Builtin Group reference in the ACL of the member server never
> migrates to the Builtin Group in the target domain?
>
>
>
> Does anybody know if this is the way ADMT works or is it a bug?
>
>
>
> Thanks.

Built in groups won't migrate if I remember correctly. I usually don't even
select them, but going on memory, I do not even believe they show up as an
option to migrate in ADMT. If using user or group accounts from the domain
adding them to the builtin groups on a member server, I believe you will
need to re-establish them by adding the new domain's accounts.

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
Anonymous
a b 8 Security
September 17, 2005 4:38:59 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"" wrote:
> I have migrated all groups and users from one domain to
> another using ADMT v
> 2.0. After migrating a single computer that's a member server
> of the source
> domain and shutting the source domain controller down, I
> noticed that if I
> open any of the migrated computer's file's properties and go
> to the security
> tab, where it originally had references to the source domain's
> BUILTIN
> groups, those references are displayed as a chain of dashed
> numbers (SID).
> Then after a while the SIDs disappear and in place there are
> regular names
> indicating their origin of the source domain.
>
>
>
> The Builtin Group reference in the ACL of the member server
> never migrates
> to the Builtin Group in the target domain?
>
>
>
> Does anybody know if this is the way ADMT works or is it a
> bug?
>
>
>
> Thanks.
>
>
> --
> Victor

you said you have shutdown the old domain’s DCs. This is normal
behaviour what you experience as I assume you migrated users and
groups with sidhistory and you migrated data protected by global in
the old domain but did not re-acl the data.

Reason:
Because the old domain is not available when you open the ACL editor
you first will see SIDs. If you did not migrate with sidhistory you
still would see SIDs and that would not change. If you migrated with
while the data was migrated with the old domain’s SIDs it will still
show if the data has ACEs from the new domain. THAT IS NOT TRUE!!! As
you migrate the data it depends on the tool and the options chosen if
the ACLs also get migrated.
In your case with sidhistory you will see ACLs with newdomain. If you
remove sidhistory (as in clean it) you would then see the olddomain.

So when migrating data and users and groups using sidhistory you need
to:
* migrate groups, users, memberships WITH sidhistory
* migrate data to a new server or just migrate the server
* Re-ACL the data so the olddomain ACEs are changed to newdomain ACEs
* Cleanup sidhistory (recommended!)

Sidhistory should only be used temporary for migration purposes!

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-problem-m...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1411227
!