Solved

Migrated Target User Cannot Access Source User's Files In Source Domain

Posted on 2012-03-15
2
1,329 Views
Last Modified: 2012-03-16
Source 2003 R2 domain HQ and target 2008 R2 domain AD are in separate, external forests that have a working two-way trust relationship. I've installed ADMT 3.2 on a member server in AD and also installed and configured PES in HQ. Migrating HQ\TestUser to AD with ADMT 3.2 seems to work OK, and the ADMT log contains the line "SID for HQ\TestUser added to the SID History of AD\TestUser".

But AD\TestUser gets an "Access is denied" error when trying to access files in HQ that HQ\TestUser owns and has Full Control permissions for.

What could be the problem? How can I diagnose it?

Thanks for your attention!
0
Comment
Question by:jeff1946
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 37728779
There are really two things that prevent this;

1.  The objectSid of the source user wasn't added to the sIDHistory of the target user, but a quick ADSIEdit/ADFind will quickly tell you that. Check the target user's account for the SID.

2.  The AD trust was set up, but you did not disable the sIDHistory filter that is on the trust.  This prevents the sIDHistory from working and is enabled by default.
http://technet.microsoft.com/en-us/library/cc772816(WS.10).aspx

More info:  http://technet.microsoft.com/en-us/library/cc772633(v=WS.10).aspx

Just disable the sIDHistory filtering and you should be good.
0
 
LVL 1

Author Comment

by:jeff1946
ID: 37731371
tmassa99: Thank you for your reply.  You were right -- I needed to disable SID filtering. But I had a lot of trouble actually doing it -- I got "access denied" errors when I did it as a source domain admin on a source DC. I had to make the source domain admin a member of the target domain's builtin administrators group and run the netdom commands as the source admin logged on to a target DC.

I also had to "netdom trust ... enablesidehistory:Yes" and enable the "anonymous SID/Name translation" group policy. But then it worked. Finally!

Thanks for putting me on the right track. Is any of this stuff documented anywhere? And why doesn't ADMT do all this stuff for you?
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conneā€¦
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlleā€¦

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question