not sure if this is the
answer to your Q (not clear what you mean), but lets give it a
try...
if you migrate a user with sidhistory, it
will not include the group memberships of the object in the source domain just
because the users old sid is in sidhistory. if you need to have the group
memberships as well, you need to migrate the groups to preserver the group
membership and to preserve the access to resources protected by those groups you
need to include the sidhistory as well during migration
is this the answer?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)
( Tel
: +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : <see sender
address>
From: [EMAIL PROTECTED] on behalf of Matt Hargraves
Sent: Thu 2006-09-21 22:58
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID History.
Conceptual situation:
User domain
Resource domain (s)
I bring all users into a single AD environment, bringing over SID History information.
Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token?
Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.
User domain
Resource domain (s)
I bring all users into a single AD environment, bringing over SID History information.
Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token?
Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
