• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6533
  • Last Modified:

Migrated users cannot access resources in source domain even though sid history is enabled.

This is a similar situation to the question asked by WeirdFishes in 2011.  I'm working on cross-forest migration, with one domain per forest.  A test user has been migrated to the target domain (Windows 2008) but cannot access resources now in the source domain (Windows 2003).  I have a two-way forest trust setup.  Using the test user in the target domain, I can access resources in the source domain where all users have permissions, but a folder where the test user account in the source domain has specific permission cannot be accessed.

I've confirmed that the test user account in the target domain has the correct SID history.

Can you help?
0
vphul
Asked:
vphul
1 Solution
 
MaheshArchitectCommented:
Have you disabled SID Filtering and enabled SID History across the forest trust ?
If its not done source domain SID will get dropped by source domain when accessing resources from target domain over trust.
If not please enable SID history and disable SID filtering across forest trust from target domain controller
You must be run below command through elevated command prompt and you must be logged on as root domain "domain administrator in target domain
Also your account must be present in source domain built-in administrators group

To disable SID filtering:
netdom trust <source domain FQDN> /domain:<trusted domain> /Quarantine:NO

To Enable SID filtering:
netdom trust <source domain FQDN> /domain:<trusted domain> /EnableSIDHistory:yes

http://blogs.technet.com/b/csstwplatform/archive/2010/05/06/how-to-disabling-sid-filter-quarantining-allowing-sid-history.aspx

Both commands should get completed successfully.
Then force replication in source domain.

Also I suggest you to remigrate all groups in merge mode with SID History post your user migration is completed as it will help to fix target users group membership wrt source domain.
At least migrate those affected groups with SID History to which user is member of.

Then logoff user once and try to access shared folder in source domain.

Also i suggest you instead of granting access to individual users in source domain, grant access to security groups and make individual users member of security groups.
Ensure that all source domain security groups are migrated 1st, then all users and then remigrate groups in merge mode with SID History for best \ accurate results as far as possible.

Mahesh
0
 
vphulAuthor Commented:
Hello Mahesh,

Thanks very much for your comment.  I had enabled SID history but not disabled SID filtering.  I'm very pleased to report that my test user can now access the resources in the source domain.

Thanks very much for your help.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now