Drawing a blank on SIDHistory scenario

[James]

I am drawing a blank on the usage of SIDHistory in this
scenario. Let me lay it out.

We are doing an AD migration from NT4 domain(Legacy) to a
new AD domain(AD_NEW). We are migrating users to AD_NEW,
but we are not moving accounts with SIDHistory. Due to
coporate security, we have to copy accounts and not delete
or disable the accounts in the legacy domain. So each
user has an active AD account and a Legacy domain account.

Here is the problem I can't think through for some
reason....

A server sits in the legacy domain. There is a two-way
truse between the two domains, and there is a file share
on the legacy server that is set up with Legacy NT Group
security. If a user from the AD_NEW doain tries to access
the share, will the server ever try to check the legacy
domain based on the old SID to authenticate? THere is no
password synch going on, so the legacy accounts will
eventually have expired passwords. Let me know what you
guys think. Thanks.

James

 

[Matjaz Ladava [MVP]]

You could migrate your accounts and then use
http://support.microsoft.com/default.aspx?scid=kb;en-us;295758 to cleanup
your sidhistory. Another option would be to use SID filtering
http://support.microsoft.com/?id=289243 which would filter out SIDHistory on
copying user accounts. If the account has a SID history in user object, that
that SID is tried when verifying access to a resource. If the SID's match
then access is granted. Removing SIDHistory will solve that issue.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com