Re: ACL's and permissions viewed after Migrating from NT 4 domain... The twilight zone?

From: Angel_Venjador (notengo@nohay.es)
Date: 02/17/03 

From: "Angel_Venjador" <notengo@nohay.es>
Date: Mon, 17 Feb 2003 08:35:58 +0100

and the ACLUI will keep showing up the AD users 'correctly'?

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> escribió en el
mensaje news:#f3KUAG1CHA.1628@TK2MSFTNGP10...
> Yes, you can decommision the old domain, and the users will retain all
> access they used to have, including file access. You can verify this by
> taking the NT4 DCs offline.
>
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Angel_Venjador" <notengo@nohay.es> wrote in message
> news:Ox$ZhjB1CHA.1900@TK2MSFTNGP10...
> > Thanks for your answer Dmitri.
> >
> > OK, this is now clear. And if I decomission the old NT4 domain this
should
> > remain the same shouldn't it? I mean, If for example I keep the old
acl's
> in
> > some directories in a server that is changed from beeing a DC in NT4
> domain
> > to a DC in AD, I'll keep seeing my users correctly yes?
> >
> > (the little problem I have noticed is that if you give permissions to
both
> > the NT4 user and the migrated AD user, the AD user appears twice in the
> ACL.
> > But this isn't really a problem in fact).
> >
> >
> >
> >
> >
> > "Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> escribió en el
> > mensaje news:#P#3CL40CHA.1636@TK2MSFTNGP10...
> > > When you migrated the user, the NT4 sid that was assigned to him was
> added
> > > to the new w2k user's sid history. ACLUI cracks the SID it got from
the
> > ACL
> > > against the AD, and it is able to find the new user by the old SID,
> > because
> > > it also checks the sid history when attempting to crack a sid to a
user.
> > >
> > > --
> > > Dmitri Gavrilov
> > > SDE, Active Directory Core
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Use of included script samples are subject to the terms specified at
> > > http://www.microsoft.com/info/cpyright.htm
> > >
> > > "Angel_Venjador" <notengo@nohay.es> wrote in message
> > > news:OeL3MS00CHA.2552@TK2MSFTNGP12...
> > > > Hi,
> > > >
> > > >
> > > >
> > > > we're currently migrating our NT 4 domain to AD using ADMT from
> > Microsoft.
> > > >
> > > >
> > > > Everything is fine, except for what is viewing ACL's after
migration.
> > > >
> > > >
> > > > The ADMT documentation says :
> > > >
> > > > The security on resources does not need to be translated before the
> > source
> > > > account is deleted. However, for cosmetic reasons, you will most
> likely
> > > want
> > > > to translate security before deleting the source account. Once the
> > source
> > > > account is gone, the resource will no longer be able to resolve the
> SID
> > to
> > > a
> > > > name and the security properties will show as "account unknown". The
> > > access
> > > > will still work, but you can't resolve the SID name. If you upgrade
> the
> > > > resource domain to Windows 2000, Windows 2000 will be able to detect
> the
> > > SID
> > > > History and resolve the name properly. So, over time, you will want
to
> > > > manually clean up SID History and grant access to the new security
> > > > principals.
> > > >
> > > >
> > > > The problem (or good thing) is that these cosmetic reasons that ADMT
> > help
> > > > says are not right!!!!! in fact, after giving access in a file that
is
> > in
> > > an
> > > > AD DC to a NT4 domain user, if this NT4 user has been migrated
keeping
> > > > sidhistory, if we view the permissions of these file then the
> > permissions
> > > > are aparently set to the AD user, not the NT4 user!!
> > > >
> > > >
> > > > This is really astonishing since we EXPLICITELY gave permissions to
> the
> > > NT4
> > > > USER!!!
> > > >
> > > >
> > > > Any one has an explanation?
> > > >
> > > >
> > > > This happends even if we delete the NT4 domain user!!!! permissions
> are
> > > > always said to be given to the AD user!! and if then we explciitely
> set
> > > > permissions to the AD user, we can see that permissions are set to
the
> > AD
> > > > user TWICE!!!!!
> > > >
> > > >
> > > > I'd like to know so why does the GUI shows the DA user instead of
the
> > real
> > > > user the ACL's are been given to... Why does it interprets so badly
> the
> > > > SID's?
> > > >
> > > > IS IT A BUG?
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: ADAM bindable object question
    ... and have done in the past when an auxiliary object class ... We made an exception for bindProxy objects -- the SID can only be ... for an existing entry of *arbitrary* object ... >> SDE, Active Directory Core ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM bindable object question
    ... Simple binds only work for ADAM users. ... >> SDE, Active Directory Core ... and have done in the past when an auxiliary object class ... We made an exception for bindProxy objects -- the SID can only be ...
    (microsoft.public.windows.server.active_directory)
  • Re: Replacing domain SID on ACEs in DACL
    ... As your script walks the storage, examining DACLs, ... If the storage was originally in NT4, ... >> the users to the data is via sid history. ...
    (microsoft.public.windows.server.migration)
  • Re: Replacing domain SID on ACEs in DACL
    ... As your script walks the storage, examining DACLs, ... If the storage was originally in NT4, ... >> the users to the data is via sid history. ...
    (microsoft.public.windows.server.security)
  • RE: NT4 Migration
    ... My understanding is you want to restructure the NT4 domain into a AD ... I know your major concern is move SQL server 2000 to new domain. ... Basically if you enabled SID history feature in AD, ... Detached all the user Database. ...
    (microsoft.public.windows.server.migration)