Process by ADPW

Hello,

Below are my questions:

Q1) My question is does ADPW process group membership only if source objects were members of target groups prior to the migration?

Q2) What would be possible scopes of target groups, if source objects were members of target groups prior to the migration?

Q3) Are there any other scenarios where process group membership by ADPW is applicable? Please elaborate.

Q4) What are other scenarios where I need to process by using ADPW? Please describe briefly.

Kindly reply and explain specific to above mentioned questions.

Parents
  • Whether it's ADPW or any other processing tool in QMM, the tool can only process / update an object that it "knows" about.

    Let's assume that your migration project involved migration from SOURCEDOM1 to TARGETDOM1.  Objects you migrate with migration sessions will have mapping entries in QMM's database like this:

    SOURCEDOM1\Fred --> TARGETDOM1\Fred

    So let's look at the members of domain local group in SOURCEDOM1:

    SOURCEDOM1\Fred

    DOM2\Sally

    DOM3\Michelle


    Assuming the scenario I have outlined above, ADPW will be able to update the membership of this group ONLY for SOURCEDOM1\Fred as QMM knows nothing about DOM2 and DOM3 users.

    I think now that if you understand how ADPW "thinks" that the answers to your other questions should be evident.

    One other use case for ADPW is the (relatively uncommon one) where you had delegated access on Active Directory Objects via the delegation wizard in ADUC.

    If this is the case, and if your sourcedom will continue to exist, AND you want targetdom users (and groups)  to continue to be able to manage objects there (leveraging AD delegation), then that's another good reason to run ADPW.  Likewise, if sourcedom users had been delegated access in targetdom, you would want to run ADPW there.

    In general, think about it this way:

    Anywhere in any trusting Active Directory where you may find a SOURCEDOM user or group that you migrated with QMM in an ACL or group membership, you want to run ADPW.  

  • Thanks for your reply

    You said anywhere in any trusting active directory. So as per my environment there is 2 way external trust established between source domain and target domain. Source domain will continue to exist. 

    So it means I can run ADPW in both domains (as both are trusting each other)? Does ADPW processing has anything to do with state of source domain (whether it will be exist or decommissioned)?

    So according to my environment, users have been deleted in source domain after migrated to target domain with sidhistory. Security groups have been migrated(mirrored) with sidhistory from source domain to target domain. Those source security groups still exist in source domain.

    I have difficulty to understand the fact that if groups have been migrated to target domain with equivalent to target users as members, then do I still need to run ADPW against target domain to process group membership? I mean what is the point of process group membership if membership of source group is already updated with equivalent target users as members of corresponding target group? When and under what scenario, I should process group membership by ADPW? Please explain. 

    So should I choose Replace option in ADPW to process Security Descriptors(SD) of AD objects where orphaned SIDs(deleted source user accounts) exist are placed whether it is in source domain or target domain?

    So should I choose Append option in ADPW to process Security Descriptors(SD) of AD objects where source domain user or groups(that were migrated with QMM tool) are placed whether it is in source domain or target domain?

    Is there a way to determine where and on what AD objects I need to process by ADPW without any QMM tool?

    Please suggest how should I choose(Append/Replace) and use ADPW to process SD and group membership as per above mentioned information. Shall I choose it in both domains?

    Looking forward to your explanation of above mentioned queries and scenarios.

    Thanks in advance!

    Shawn Douglas

  • - with the utmost respect, you have exceeded the threshold for the amount of free consulting *I* am prepared to provide here.  If you require further guidance, I would suggest that you contact your Quest Sales representative and ask them to put you in touch with a qualified consulting Partner or Quest's own Professional Services team.  If you are a consultant, then I would suggest you contact the Quest rep for your client's account and have them put you in touch with the Partner Architects team.

  • Everything you would every want can be found here. Support.quest.com. 

    here is a link to the ADPW documentation. support.quest.com/.../resource-processing-guide

  • I did not get answers of above questions on this documentation link.

  • That is because the documentation explains how the tool works and what the tool can do. So it covers the what and how. But the should is not a question that can be Answered here. That is what a knowledgeable consultant does and when they exist. As Johnny recommended , that is what you are looking for. 

  • Thank you

    I just need to know the explanation of my main query. Rest I will manage by with Documentation.

    I have difficulty to understand the fact that if groups have been migrated to target domain with equivalent to target users as members, then do I still need to run ADPW against target domain to process group membership? I mean what is the point of process group membership if membership of source group is already updated with equivalent target users as members of corresponding target group? When and under what scenarios, I should process group membership by ADPW? Please explain. 

    Looking forward to your co-operation.

Reply
  • Thank you

    I just need to know the explanation of my main query. Rest I will manage by with Documentation.

    I have difficulty to understand the fact that if groups have been migrated to target domain with equivalent to target users as members, then do I still need to run ADPW against target domain to process group membership? I mean what is the point of process group membership if membership of source group is already updated with equivalent target users as members of corresponding target group? When and under what scenarios, I should process group membership by ADPW? Please explain. 

    Looking forward to your co-operation.

Children
No Data