We help IT Professionals succeed at work.

How to map SID from one Domain to completely different unrelated Domain?

Amit Bhatnagar
on
We are in the process of helping a client move from a Legacy environment to new environment. Current scenario has a SharePoint Server with a few 100 thousand documents (Big govt. Agency). Now, we are provisioning the old users from old domain to the new domain using Remedy. Now, the question is..How do we make sure that the New Users created in place of old user has all the same rights on the documents. Note that the users are provisioned using Remedy and hence, no SID information is copied over. Rather these two users will be completely unrelated to each other. We should still be able to give complete permissions to the new user for the old documents.

Any way, by which we can map the old user SID to the new user automatically without using any migration tool etc. The only good thing is this entire scenario is..the Old User and the New User name will only be different by three characters. So if Old User was ABC, the new User will be NewABC.

-Amit.
Comment
Watch Question

Mike ThomasConsultant
Top Expert 2010

Commented:
Basically

Create a trust relationship between the domains you are migrating from and too
Disable SID Filtering http://www.microsoft.com/windowsserver2008/en/us/r2-editions-overview.aspx
Migrate Users using ADMT

I am guessing you just didn't disable SID filtering?
Chris DentPowerShell Developer
Top Expert 2010

Commented:

The SID field is very heavily protected because it carries such a lot of potential for abuse.

You will not be writing to it without meeting stringent security requirements, in effect, you will not be writing to it without using one of the migration tools (as outlined by MojoTech) I'm afraid.

To back that up a bit, here are the instructions for using DsAddSidHistory, a C++ function documented on MSDN and the only way to write to the field.

http://msdn.microsoft.com/en-us/library/ms677982%28VS.85%29.aspx

Chris
Amit BhatnagarSystems Development Principal - Security and Infrastructure

Author

Commented:
Since this is all Govt. related project, all the guidelines are already present and hence no change. The reason to begin with, that the user are provisioned and NOT migrated is because of the policies..:(. Anyways, it is not what I can accomplish technically but what I can with tons of restrictions. So I guess, since these two domain will never be in trust, I need to look at other options like Chris.
PowerShell Developer
Top Expert 2010
Commented:

If they will never trust you cannot meet the constraints of DsAddSidHistory. You need to rewrite the access control lists I'm afraid.

Chris
Amit BhatnagarSystems Development Principal - Security and Infrastructure

Author

Commented:
I  was looking for a confirmed answer. I had given this answer to the agency but wanted to double check and with this exact technical information, it would be easier for me to answer them.

Thanks,
-Amit.