Solved

Migrated Target User Cannot Access Source User's Files In Source Domain

Posted on 2012-03-15
2
1,342 Views
Last Modified: 2012-03-16
Source 2003 R2 domain HQ and target 2008 R2 domain AD are in separate, external forests that have a working two-way trust relationship. I've installed ADMT 3.2 on a member server in AD and also installed and configured PES in HQ. Migrating HQ\TestUser to AD with ADMT 3.2 seems to work OK, and the ADMT log contains the line "SID for HQ\TestUser added to the SID History of AD\TestUser".

But AD\TestUser gets an "Access is denied" error when trying to access files in HQ that HQ\TestUser owns and has Full Control permissions for.

What could be the problem? How can I diagnose it?

Thanks for your attention!
0
Comment
Question by:jeff1946
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 37728779
There are really two things that prevent this;

1.  The objectSid of the source user wasn't added to the sIDHistory of the target user, but a quick ADSIEdit/ADFind will quickly tell you that. Check the target user's account for the SID.

2.  The AD trust was set up, but you did not disable the sIDHistory filter that is on the trust.  This prevents the sIDHistory from working and is enabled by default.
http://technet.microsoft.com/en-us/library/cc772816(WS.10).aspx

More info:  http://technet.microsoft.com/en-us/library/cc772633(v=WS.10).aspx

Just disable the sIDHistory filtering and you should be good.
0
 
LVL 1

Author Comment

by:jeff1946
ID: 37731371
tmassa99: Thank you for your reply.  You were right -- I needed to disable SID filtering. But I had a lot of trouble actually doing it -- I got "access denied" errors when I did it as a source domain admin on a source DC. I had to make the source domain admin a member of the target domain's builtin administrators group and run the netdom commands as the source admin logged on to a target DC.

I also had to "netdom trust ... enablesidehistory:Yes" and enable the "anonymous SID/Name translation" group policy. But then it worked. Finally!

Thanks for putting me on the right track. Is any of this stuff documented anywhere? And why doesn't ADMT do all this stuff for you?
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question