Re: ACL's and permissions viewed after Migrating from NT 4 domain... The twilight zone?

From: Angel_Venjador (notengo@nohay.es)
Date: 02/14/03 

From: "Angel_Venjador" <notengo@nohay.es>
Date: Fri, 14 Feb 2003 12:05:06 +0100

Thanks for your answer Dmitri.

OK, this is now clear. And if I decomission the old NT4 domain this should
remain the same shouldn't it? I mean, If for example I keep the old acl's in
some directories in a server that is changed from beeing a DC in NT4 domain
to a DC in AD, I'll keep seeing my users correctly yes?

(the little problem I have noticed is that if you give permissions to both
the NT4 user and the migrated AD user, the AD user appears twice in the ACL.
But this isn't really a problem in fact).

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> escribió en el
mensaje news:#P#3CL40CHA.1636@TK2MSFTNGP10...
> When you migrated the user, the NT4 sid that was assigned to him was added
> to the new w2k user's sid history. ACLUI cracks the SID it got from the
ACL
> against the AD, and it is able to find the new user by the old SID,
because
> it also checks the sid history when attempting to crack a sid to a user.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Angel_Venjador" <notengo@nohay.es> wrote in message
> news:OeL3MS00CHA.2552@TK2MSFTNGP12...
> > Hi,
> >
> >
> >
> > we're currently migrating our NT 4 domain to AD using ADMT from
Microsoft.
> >
> >
> > Everything is fine, except for what is viewing ACL's after migration.
> >
> >
> > The ADMT documentation says :
> >
> > The security on resources does not need to be translated before the
source
> > account is deleted. However, for cosmetic reasons, you will most likely
> want
> > to translate security before deleting the source account. Once the
source
> > account is gone, the resource will no longer be able to resolve the SID
to
> a
> > name and the security properties will show as "account unknown". The
> access
> > will still work, but you can't resolve the SID name. If you upgrade the
> > resource domain to Windows 2000, Windows 2000 will be able to detect the
> SID
> > History and resolve the name properly. So, over time, you will want to
> > manually clean up SID History and grant access to the new security
> > principals.
> >
> >
> > The problem (or good thing) is that these cosmetic reasons that ADMT
help
> > says are not right!!!!! in fact, after giving access in a file that is
in
> an
> > AD DC to a NT4 domain user, if this NT4 user has been migrated keeping
> > sidhistory, if we view the permissions of these file then the
permissions
> > are aparently set to the AD user, not the NT4 user!!
> >
> >
> > This is really astonishing since we EXPLICITELY gave permissions to the
> NT4
> > USER!!!
> >
> >
> > Any one has an explanation?
> >
> >
> > This happends even if we delete the NT4 domain user!!!! permissions are
> > always said to be given to the AD user!! and if then we explciitely set
> > permissions to the AD user, we can see that permissions are set to the
AD
> > user TWICE!!!!!
> >
> >
> > I'd like to know so why does the GUI shows the DA user instead of the
real
> > user the ACL's are been given to... Why does it interprets so badly the
> > SID's?
> >
> > IS IT A BUG?
> >
> >
>
>

Relevant Pages

  • Re: ACLs and permissions viewed after Migrating from NT 4 domain... The twilight zone?
    ... And if I decomission the old NT4 domain this should ... > (the little problem I have noticed is that if you give permissions to both ... >> to the new w2k user's sid history. ... >> it also checks the sid history when attempting to crack a sid to a user. ...
    (microsoft.public.win2000.security)
  • Re: Query on User and Data migration
    ... the NTFS permissions are still for the SID history not for ... the SID. ... of my File data migration, your inputs will help me in deciding the ... it is a case of manually translating or modifying the permissions on all ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access is denied to this object
    ... sid wrote: ... I did not any issues with FileMon, but RegMon did find these two calls: ... Isaac Perez Moncho wrote: ... The call to Server.CreateObject failed while checking permissions. ...
    (microsoft.public.scripting.vbscript)
  • RE: SID Filtering
    ... When i access resource in NT4 domain with migrated ... NT4 domain controller will not filter any SID ... I get access to all the resource with SID History. ... I DID NOT DISABLE SID FILTERING ON W2K3 DC, ...
    (microsoft.public.windows.server.migration)
  • Permissions problem when move files from NT4 (PDC) to 2003 member svr.
    ... We are running a NT4 domain and have a 2003 R2 member server which is ... Because we are running out of capacity on our NT4 PDC we want to ... The wizard has copied the permissions but we noticed the following ...
    (microsoft.public.windows.server.migration)