• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 20 subscribers
  • Views 2728 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migrated User Accessing Resources in Source Domain

droberts
over 5 years ago

Hi there,

I've installed Quest Migration Manager for AD using a trial license as a Proof of Concept before we look to make a purchase.

We have a two-way trust in place between the source and target domains. Here's the scenario I have and the problem I'm facing. I'm hoping it's something really simple or obvious, but I can't see the wood for the trees at the moment so am after some advice.

Source Domain - SID Filtering Disabled - SID History Enabled

netdom trust source.co.uk /D:target.co.uk /quarantine
SID filtering is not enabled for this trust. All SIDs presented in an
authentication request from this domain will be honored.

netdom trust source.co.uk /D:target.co.uk /enablesidhistory
SID history is enabled for this trust.

Target Domain - SID Filtering Enabled - SID History Disabled

netdom trust target.co.uk /D:source.co.uk /quarantine
SID filtering is enabled for this trust. Only SIDs from the trusted domain
will be accepted for authorization data returned during authentication. SIDs
from other domains will be removed.

netdom trust target.co.uk /D:source.co.uk /enablesidhistory
SID history is disabled for this trust.

I have a Windows File Server in the Source Domain, with permissions applied to an AD Group in the Source Domain for which the User user@source.co.uk is a member of. I have migrated the User from Source to Target and am able to login in to a Workstation in the Target Domain using the new username and migrated password. However, I'm unable to access the folder on the File Server. If I add user@source.co.uk to the folder, it works fine, but all our permissions are done via Groups, not individual Users.

Adding user@source.co.uk and having access using user@target.co.uk proves that SID History and Filtering is working correctly right?

Am I missing something obvious here?

I assumed, maybe wrongly, that having migrated users that the source domain would effectively still see them as the original user via the SID History attribute and grant/deny access accordingly including original Group membership?

If any further information is required, please let me know.

Thanks in advance.

Parents Reply Children
No Data