Link to home
Start Free TrialLog in
Avatar of Reubenwelsh
Reubenwelsh

asked on

Connect an old SID to a new group Active Directory

Hi there,

We are soon taking over an existing enviroment from a company thats splitting away from the main branch so we will be building a completly new enviroment for them. Due to all the politics we arn't alowed to access there old enviroment and may only request information to be forwarded to us.

I just recieved the dump of there fileshare and i see all of the usergroups are still under "security" on the folders. The problem is there just SID's so i cant really tell what goes where.

Is it possible to make a group and connect it to an SID in any way as it will save days of work for me :)

Really apriciate any ideas you might have or pointers of things we should think about that might not be too obvious.

Have a good weekend everyone!

EDIT: Oh yeh, moving from a 2003 enviroment to a 2008
Avatar of Raheem05
Raheem05
Flag of United Kingdom of Great Britain and Northern Ireland image

1. The question is will you be carrying over the AD accounts to the new target environment?

Please answer this so I can advise further...


Its worth reading the following technet article which breaks down SIDs and SID history's and what you can and cant do

http://technet.microsoft.com/en-us/library/cc961625.aspx
Avatar of Mike Kline
Without a migration of those groups to the new domain you won't be able to do much.  I'm guessing by your description they won't allow any sort of migration.

Thanks

Mike
Avatar of Reubenwelsh
Reubenwelsh

ASKER

I dont think we will be able to migrate the users to the new domain. We have asked but they havn't given us an OK yet at least. So far weve only been given an excel dokument with all the groups connected to the users.

Raheem05 thanks ill check that out.
ASKER CERTIFIED SOLUTION
Avatar of bluntTony
bluntTony
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So there is no way to plug in a user group in all the places a certain SID is?
Agree with both Mike and Tony hence my first question about the AD accounts and migrations...the SID history can only be carried over if the account moves otherwise if its going to a new domain withouth migrating the account there is no way to achieve this.

Is there any way just to migrate parts of an AD to a new domain? since there is no way they will let us migrate the whole system.

Thanks for all the help guys :) saving me hours of google'ing =)
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Why not ask the other admin for some CSVDE dumps of the groups? You can then use this to create all the required groups in your domain.

However these would be NEW groups with new SIDs and new domain-specific information.

Then, given a list of file shares and the groups(names) that are assigned permissions, you could employ some sort of script to assign the permissions to the folders.
An example CSVDE command to export the groups in a format you should be able to import into your domain is:

csvde -r "(objectClass=group)" -l objectClass,description,cn,instanceType,name,sAMAccountName,sAMAccountType,groupType,displayName -c "DC=olddomain,DC=local" "DC=newdomain,DC=local" -f tony.csv

Notice the -c switch gives the option to change the domain portion of a DN if the new domain name is different.

Tony
Sorry forgot to say...

Then in your new domain, create the same OU structure, and use the following command to create all the groups:

csvde -i -f groups.csv

You can follow a similar process for users as well.

This is a 'second best' option should they point blank refuse to allow any mirgration.

Tony
Thanks a lot tony, i'll give it a try and get back to you :)