problem migrating security settings via ADMT

[v yelsukov]

I have migrated all groups and users from one domain to another using ADMT v
2.0. After migrating a single computer that's a member server of the source
domain and shutting the source domain controller down, I noticed that if I
open any of the migrated computer's file's properties and go to the security
tab, where it originally had references to the source domain's BUILTIN
groups, those references are displayed as a chain of dashed numbers (SID).
Then after a while the SIDs disappear and in place there are regular names
indicating their origin of the source domain.



The Builtin Group reference in the ACL of the member server never migrates
to the Builtin Group in the target domain?



Does anybody know if this is the way ADMT works or is it a bug?



Thanks.

 

[Ace Fekay [MVP]]

In

I have migrated all groups and users from one domain to another using
ADMT v
2.0. After migrating a single computer that's a member server of the
source domain and shutting the source domain controller down, I
noticed that if I open any of the migrated computer's file's
properties and go to the security tab, where it originally had
references to the source domain's BUILTIN groups, those references
are displayed as a chain of dashed numbers (SID). Then after a while
the SIDs disappear and in place there are regular names indicating
their origin of the source domain.



The Builtin Group reference in the ACL of the member server never
migrates to the Builtin Group in the target domain?



Does anybody know if this is the way ADMT works or is it a bug?



Thanks.

Built in groups won't migrate if I remember correctly. I usually don't even
select them, but going on memory, I do not even believe they show up as an
option to migrate in ADMT. If using user or group accounts from the domain
adding them to the builtin groups on a member server, I believe you will
need to re-establish them by adding the new domain's accounts.

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Jorge_de_Almeida_Pinto]

I have migrated all groups and users from one domain to
another using ADMT v
2.0. After migrating a single computer that's a member server
of the source
domain and shutting the source domain controller down, I
noticed that if I
open any of the migrated computer's file's properties and go
to the security
tab, where it originally had references to the source domain's
BUILTIN
groups, those references are displayed as a chain of dashed
numbers (SID).
Then after a while the SIDs disappear and in place there are
regular names
indicating their origin of the source domain.



The Builtin Group reference in the ACL of the member server
never migrates
to the Builtin Group in the target domain?



Does anybody know if this is the way ADMT works or is it a
bug?



Thanks.

you said you have shutdown the old domain’s DCs. This is normal
behaviour what you experience as I assume you migrated users and
groups with sidhistory and you migrated data protected by global in
the old domain but did not re-acl the data.

Reason:
Because the old domain is not available when you open the ACL editor
you first will see SIDs. If you did not migrate with sidhistory you
still would see SIDs and that would not change. If you migrated with
while the data was migrated with the old domain’s SIDs it will still
show if the data has ACEs from the new domain. THAT IS NOT TRUE!!! As
you migrate the data it depends on the tool and the options chosen if
the ACLs also get migrated.
In your case with sidhistory you will see ACLs with newdomain. If you
remove sidhistory (as in clean it) you would then see the olddomain.

So when migrating data and users and groups using sidhistory you need
to:
* migrate groups, users, memberships WITH sidhistory
* migrate data to a new server or just migrate the server
* Re-ACL the data so the olddomain ACEs are changed to newdomain ACEs
* Cleanup sidhistory (recommended!)

Sidhistory should only be used temporary for migration purposes!