Matt,
When you logon, you are 'given' a token which includes a
list of groups (group SIDs actually) to which you have membership. This list
includes groups you are directly a member of, groups you have membership of via
nesting but also groups you have membership of via
SIDhistory.
When
you attempt to access a resource on the server, you will present your token and
list of groups to the server. The server then tries to match a group SID to a
SID which in contained in the ACL for the resource being accessed. If a match is
found, you gain access, if not or a deny is matched, you are not granted
access.
Hope
that helps,
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: 21 September 2006 21:59
To: [email protected]
Subject: [ActiveDir] SID History.
User domain
Resource domain (s)
I bring all users into a single AD environment, bringing over SID History information.
Now I start moving over file servers from the resource domain to the AD environment. One of the file servers has groups ACL'd from the resource domain. When the server goes to check for access rights, will it pull over *all* group memberships from the appropriate resource domain or simply pull over the single group membership and append that to the user's token?
Mostly just looking at SID history impact between semi-active resource domains that are being decomissioned and current domains. Microsoft's site mostly seems to point to groups that are pointing to SID history objects that are within the AD environment, not cross-domain SID history impact.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
