When you migrate a user with SIDHistory in place, the user (in the new domain) now effectively has 2 SIDs - one from the old domain and one from its new domain. OK. You have resources (say fileshare) in the old domain and the resource was permissioned for users in the old domain. Say the user you migrated above is one of the users who has access to this resource. This means this user's SID is on that list of authorized users. OK. You now migrate this resource from the old domain AND you retained the old permissions. Now, the user you migrated above tries to access the resource you have just migrated. When it requests the resource, he supplies his token which contains (remember?) 2 SIDs. The resources then compares the SIDs inside the token with what it has in its DACL and goes "Oh I see that your SID XYZ is on my control list and here it says to grant access for that SID, so I'm all yours". If you now reACL the resource to match the new domain (removing the old permission), this user will now NOT be able to access the resource unless you specifically grant it access. This is because the SID it was using before is now no longer on the list. When you grant this new access (using accounts from the new domain) and this user again tries to access the resource, the resource will go through the motion again and see that the user's new SID in the new domain is also now present in its DACL, so again, the user is able to access the resource using the new SID - even though his old SID is no longer on the list. Users are Security Principals and Security Principals are all about SIDs rather than names or anything else; if you remember that, the above will make sense to you - I think. As an aside, security groups are also security principals and have SIDs, so even if a user's SID is not directly on a resource DACL, a user can still access the resource by virtue of its membership in a security group whose SID is on the DACL Sincerely,
D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Bert Skorupski Sent: Wed 5/11/2005 3:43 PM To: [email protected] Subject: [ActiveDir] Accessing NT4 resource domain via sIDHistory Hey guys, Today I got really confused about trusts and sIDHistory. I always thought that you have to use a trust for accessing resources in an "old" NT4 resource domain. But today I found a Microsoft technote telling the following: "In this way SIDHistory ensures that migrated users can continue to access resources located in a trusting (resource) domain, even though the user's new domain does not have a trust relationship with the resource domain." Can be found here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/9d688a18-15c7-4d4e-9d34-7a763baa50a1.mspx Scenario: NT4 Account Domain --> User migrated to target AD domain including sIDHistory, Trust relationship exists to NT4 resource domain and to target AD domain NT4 Resource Domain --> hosting resources (e.g. files & folders) permissioned to users of NT4 account domain, Trust relationship to NT4 account domain only Target AD domain --> hosting the "new" migrated user accounts, Trust relationship to NT4 account domain --> Is it really possible to access resources still hosted within the NT4 resource domain (not being reACLed yet - so still referencing the NT4 account domain accounts in all ACLs) by simply connecting to the file server in that case? --> What's going to happen if the NT4 account domain was switched off while the resources were still hosted within the NT4 resource domain? Could the "migrated" AD users still access the resources? --> What's going to happen if you'd reACLe all the permissions within the NT4 resource domain by replacing the "old" SIDs with the "new" AD SIDs? (Again - still not having a trust relationship between NT4 resource domain and AD target domain)? --> What's going to happen if you'd move the resource hosting member server form the NT4 resource domain to the target AD domain but without having the ACLs reACLed yet? What's going to happen if additionally the trust relationship to the NT4 account domain gets deleted (or the whole domain gets switched off)? I'd greatly appreciate any hints here to get me back on the safe track! ;-) Best regards, Bert List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
