sid history???

  • Thread starter Thread starter Fredrik
  • Start date Start date
F

Fredrik

Can I migrate the NT 4 global group NT4domain\DomainUsers so I can get that
groups sidhistory into AD? Else we have to go through a lot of NT4 resources
and add new AD groups on this. Adding NT4 accounts is not any idea because
it's very many people accessing the resources.
Because every migrated user in the AD is member of ADdomain\domainusers, are
there any way to make that group member of NT4domain\DomainUsers?

I hope I explain our situation. We wants to migrate over 1500 peoble to AD.
The idea is to migrate all global+local groups (with sidhistory) and then
all users (with sidhistory). After that it should work for them to access
all NT4domain resources (over 70 NT4+W2K servers) with the sidhistory.
Resources with migrated group and their personal resources will work with
the sidhistory but not resources with NT4domain\DomainUsers having user
rights. How can this also be automatically migrated as all the other groups
wich not are builtin NT4 groups? If we can migrate groups and accounts and
having them to access everything as usual, then the next idea was to migrate
the servers one and one, and then also fix new groups in AD for these.
 
It sounds like you also need to migrate your global groups
with SIDHistory.

Consider this scenario:

You have a file share on a server in the NT domain. The
permissions on the file share are provided via a local
group. The local group contains global groups from the NT
domain. The global group contains accounts from the NT
domain. The local group providing permissions on the
resource only knows about the global groups and not the
accounts. This means that when you migrate an account
that is a member of the global group it will have not
access to the resource UNLESS the global group has also
been migrated with SIDHistory.

Clearly, if you had added accounts directly into the local
group, these accounts would be able to access the resource
post-migration.

Consider migrating the global groups (with SIDHistory)
first, as you will then have the option to preserve
membership when you migrate the accounts.


Tony
www.activedir.org
 
An alternative approach is to permission the shares/files
using AD based groups (as well as NT4 groups). That way,
when the NT environment is decommissioned, you can simply
remove servers and DCs from the NT domain(s) without
having first to worry about SIDHistory, and what will fail
if the NT4 DCs are decommed etc.



Neil
 
Thanks a lot Tony and Neil! I've tested to migrate some of the groups and it
works. But a lot of the old resources in NT 4 have ACL with NT4
domain\domain users. This group is what I know not possible to migrate or?
How can this be fixed so the users in AD can access old resources having
permission with nt4 domain\domain users?
 
Actually, it is possible to add the SID of the domain
users of your NT4 domain to the SID history of the Domain
users of the AD domain. The SID of Built in groups can be
added to the SID history of built-in groups with the same
RID (so : Domain Users can be added to Domain Users,
Domain Admins to Domain Admins, etc.).
I guess migration tools do not support this, but
clonepr.vbs (from the Support tools) should do the job, I
guess.
-----Original Message-----
Can I migrate the NT 4 global group NT4domain\DomainUsers so I can get that
groups sidhistory into AD? Else we have to go through a lot of NT4 resources
and add new AD groups on this. Adding NT4 accounts is not any idea because
it's very many people accessing the resources.
Because every migrated user in the AD is member of ADdomain\domainusers, are
there any way to make that group member of NT4domain\DomainUsers?

I hope I explain our situation. We wants to migrate over 1500 peoble to AD.
The idea is to migrate all global+local groups (with sidhistory) and then
all users (with sidhistory). After that it should work for them to access
all NT4domain resources (over 70 NT4+W2K servers) with the sidhistory.
Resources with migrated group and their personal resources will work with
the sidhistory but not resources with
Click to expand...
NT4domain\DomainUsers having user
 
Back
Top