?
Solved

Migrated Target User Cannot Access Source User's Files In Source Domain

Posted on 2012-03-15
2
Medium Priority
?
1,353 Views
Last Modified: 2012-03-16
Source 2003 R2 domain HQ and target 2008 R2 domain AD are in separate, external forests that have a working two-way trust relationship. I've installed ADMT 3.2 on a member server in AD and also installed and configured PES in HQ. Migrating HQ\TestUser to AD with ADMT 3.2 seems to work OK, and the ADMT log contains the line "SID for HQ\TestUser added to the SID History of AD\TestUser".

But AD\TestUser gets an "Access is denied" error when trying to access files in HQ that HQ\TestUser owns and has Full Control permissions for.

What could be the problem? How can I diagnose it?

Thanks for your attention!
0
Comment
Question by:jeff1946
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 2000 total points
ID: 37728779
There are really two things that prevent this;

1.  The objectSid of the source user wasn't added to the sIDHistory of the target user, but a quick ADSIEdit/ADFind will quickly tell you that. Check the target user's account for the SID.

2.  The AD trust was set up, but you did not disable the sIDHistory filter that is on the trust.  This prevents the sIDHistory from working and is enabled by default.
http://technet.microsoft.com/en-us/library/cc772816(WS.10).aspx

More info:  http://technet.microsoft.com/en-us/library/cc772633(v=WS.10).aspx

Just disable the sIDHistory filtering and you should be good.
0
 
LVL 1

Author Comment

by:jeff1946
ID: 37731371
tmassa99: Thank you for your reply.  You were right -- I needed to disable SID filtering. But I had a lot of trouble actually doing it -- I got "access denied" errors when I did it as a source domain admin on a source DC. I had to make the source domain admin a member of the target domain's builtin administrators group and run the netdom commands as the source admin logged on to a target DC.

I also had to "netdom trust ... enablesidehistory:Yes" and enable the "anonymous SID/Name translation" group policy. But then it worked. Finally!

Thanks for putting me on the right track. Is any of this stuff documented anywhere? And why doesn't ADMT do all this stuff for you?
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question