Order of sidhistory cleanup and re-ACL

Hello,

I just want to know whether I should do re-ACL first on resources and then cleanup Sidhistory OR first I should cleanup of sidhistory and then re-ACL on resources? What is the correct order of these post migration tasks? Please explain what is the technical reason for the correct order?

Thanks in advance!

Shawn

Parents
  • Technologically, SIDHistory is meant to "help" you in the sense that if you want (or need) to cutover your users to using their new accounts before you re-ACL, you can usually rely on SIDHistory to keep them accessing the resources they need to work.

    So, the order is:

    1.  Re-ACL

    2. Cleanup SIDHistory.

    Beware however, that once you do the SIDHistory cleanup, you may run into situations where users lose resource access because you missed migrating a group that was granting access.  It's a quick thing to fix (by migrating the group in question and re-ACL'ing the resource again) but it could happen.

  • I have follow-up questions on this.

    Q1: Relying on sidhistory (before re-ACL) in order to access resources - Does it have anything to do whether resources are in source domain or target domain post inter-forest migration scenario? 

    Q2: Does it mean that sidhistory (before re-ACL) must be required in both cases - accessing source domain resources as well as target domain resources?

    Q3: If the resources have been migrated to target domain post inter-forest migration, then can I remove all source domain local groups applied on resource ACL provided those source domain local groups don't contain any external trusted members(domain which are not part of the migration)? 

    Q4: If the resources have been migrated to target domain post inter-forest migration, then can I still delete those source domain local groups which contains only source domain user accounts because as far as I know access token of those source domain user accounts contains SID of source domain local groups which is not going to be crossed in target domain?

    Kindly answer and explain specific to above mentioned questions.

     

    Thanks in advance!

    Shawn



Reply
  • I have follow-up questions on this.

    Q1: Relying on sidhistory (before re-ACL) in order to access resources - Does it have anything to do whether resources are in source domain or target domain post inter-forest migration scenario? 

    Q2: Does it mean that sidhistory (before re-ACL) must be required in both cases - accessing source domain resources as well as target domain resources?

    Q3: If the resources have been migrated to target domain post inter-forest migration, then can I remove all source domain local groups applied on resource ACL provided those source domain local groups don't contain any external trusted members(domain which are not part of the migration)? 

    Q4: If the resources have been migrated to target domain post inter-forest migration, then can I still delete those source domain local groups which contains only source domain user accounts because as far as I know access token of those source domain user accounts contains SID of source domain local groups which is not going to be crossed in target domain?

    Kindly answer and explain specific to above mentioned questions.

     

    Thanks in advance!

    Shawn



Children