Solved

Migrated Target User Cannot Access Source User's Files In Source Domain

Posted on 2012-03-15
2
1,338 Views
Last Modified: 2012-03-16
Source 2003 R2 domain HQ and target 2008 R2 domain AD are in separate, external forests that have a working two-way trust relationship. I've installed ADMT 3.2 on a member server in AD and also installed and configured PES in HQ. Migrating HQ\TestUser to AD with ADMT 3.2 seems to work OK, and the ADMT log contains the line "SID for HQ\TestUser added to the SID History of AD\TestUser".

But AD\TestUser gets an "Access is denied" error when trying to access files in HQ that HQ\TestUser owns and has Full Control permissions for.

What could be the problem? How can I diagnose it?

Thanks for your attention!
0
Comment
Question by:jeff1946
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 37728779
There are really two things that prevent this;

1.  The objectSid of the source user wasn't added to the sIDHistory of the target user, but a quick ADSIEdit/ADFind will quickly tell you that. Check the target user's account for the SID.

2.  The AD trust was set up, but you did not disable the sIDHistory filter that is on the trust.  This prevents the sIDHistory from working and is enabled by default.
http://technet.microsoft.com/en-us/library/cc772816(WS.10).aspx

More info:  http://technet.microsoft.com/en-us/library/cc772633(v=WS.10).aspx

Just disable the sIDHistory filtering and you should be good.
0
 
LVL 1

Author Comment

by:jeff1946
ID: 37731371
tmassa99: Thank you for your reply.  You were right -- I needed to disable SID filtering. But I had a lot of trouble actually doing it -- I got "access denied" errors when I did it as a source domain admin on a source DC. I had to make the source domain admin a member of the target domain's builtin administrators group and run the netdom commands as the source admin logged on to a target DC.

I also had to "netdom trust ... enablesidehistory:Yes" and enable the "anonymous SID/Name translation" group policy. But then it worked. Finally!

Thanks for putting me on the right track. Is any of this stuff documented anywhere? And why doesn't ADMT do all this stuff for you?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question