ACL's and permissions viewed after Migrating from NT 4 domain... The twilight zone?

From: Angel_Venjador (notengo@nohay.es)
Date: 02/13/03 

From: "Angel_Venjador" <notengo@nohay.es>
Date: Thu, 13 Feb 2003 10:45:10 +0100

Hi,

we're currently migrating our NT 4 domain to AD using ADMT from Microsoft.

Everything is fine, except for what is viewing ACL's after migration.

The ADMT documentation says :

The security on resources does not need to be translated before the source
account is deleted. However, for cosmetic reasons, you will most likely want
to translate security before deleting the source account. Once the source
account is gone, the resource will no longer be able to resolve the SID to a
name and the security properties will show as "account unknown". The access
will still work, but you can't resolve the SID name. If you upgrade the
resource domain to Windows 2000, Windows 2000 will be able to detect the SID
History and resolve the name properly. So, over time, you will want to
manually clean up SID History and grant access to the new security
principals.

The problem (or good thing) is that these cosmetic reasons that ADMT help
says are not right!!!!! in fact, after giving access in a file that is in an
AD DC to a NT4 domain user, if this NT4 user has been migrated keeping
sidhistory, if we view the permissions of these file then the permissions
are aparently set to the AD user, not the NT4 user!!

This is really astonishing since we EXPLICITELY gave permissions to the NT4
USER!!!

Any one has an explanation?

This happends even if we delete the NT4 domain user!!!! permissions are
always said to be given to the AD user!! and if then we explciitely set
permissions to the AD user, we can see that permissions are set to the AD
user TWICE!!!!!

I'd like to know so why does the GUI shows the DA user instead of the real
user the ACL's are been given to... Why does it interprets so badly the
SID's?

IS IT A BUG?

Relevant Pages

  • Re: Security Group Settings/Usage
    ... Permissions are defined at the resource being controlled (where ... you use a security group to grant or deny a specific permission set). ... The security groups as defined in AD are just that, groups of accounts, ... Another way to look at this is that each securable resource carries ...
    (microsoft.public.win2000.security)
  • Views Problem
    ... members of the same security category. ... (they have exactly the same permissions). ... I have configured a view and I have granted access to ... any resource at the resource centre. ...
    (microsoft.public.project.pro_and_server)
  • RE: What server hardening are you doing these days?
    ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
    (Focus-Microsoft)
  • Re: Windows Firewall Wont Stay On
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: get rid of security center?
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.help_and_support)