Process by ADPW

Hello,

Below are my questions:

Q1) My question is does ADPW process group membership only if source objects were members of target groups prior to the migration?

Q2) What would be possible scopes of target groups, if source objects were members of target groups prior to the migration?

Q3) Are there any other scenarios where process group membership by ADPW is applicable? Please elaborate.

Q4) What are other scenarios where I need to process by using ADPW? Please describe briefly.

Kindly reply and explain specific to above mentioned questions.

Parents
  • Whether it's ADPW or any other processing tool in QMM, the tool can only process / update an object that it "knows" about.

    Let's assume that your migration project involved migration from SOURCEDOM1 to TARGETDOM1.  Objects you migrate with migration sessions will have mapping entries in QMM's database like this:

    SOURCEDOM1\Fred --> TARGETDOM1\Fred

    So let's look at the members of domain local group in SOURCEDOM1:

    SOURCEDOM1\Fred

    DOM2\Sally

    DOM3\Michelle


    Assuming the scenario I have outlined above, ADPW will be able to update the membership of this group ONLY for SOURCEDOM1\Fred as QMM knows nothing about DOM2 and DOM3 users.

    I think now that if you understand how ADPW "thinks" that the answers to your other questions should be evident.

    One other use case for ADPW is the (relatively uncommon one) where you had delegated access on Active Directory Objects via the delegation wizard in ADUC.

    If this is the case, and if your sourcedom will continue to exist, AND you want targetdom users (and groups)  to continue to be able to manage objects there (leveraging AD delegation), then that's another good reason to run ADPW.  Likewise, if sourcedom users had been delegated access in targetdom, you would want to run ADPW there.

    In general, think about it this way:

    Anywhere in any trusting Active Directory where you may find a SOURCEDOM user or group that you migrated with QMM in an ACL or group membership, you want to run ADPW.  

  • If I understand the example correctly, execute ADPW against source domain and update Domain local group membership which will update only those members which had already been migrated to target domain. 

    So my question is, process group membership by ADPW is applicable on Domain Local groups only OR it can process groups of any scope?

  • Here is a simple explanation on ADPW. What is the use/role is had and when you need to use this it.

    This depends on your migration and what other domains and forests exist. In a simple, Domain to Domain inter-forest migration where there was never a trust between the domains, AND you do not migrate the SecurityDescriptors. You only need it to clean up sid history at the end of the migration. If you have trusting domains of the source domain that you plan to maintain the trust with the target domain, you will need ADPW to update the trusting domain's groups that contain source domain objects. Sid History does not address this access type. 

Reply
  • Here is a simple explanation on ADPW. What is the use/role is had and when you need to use this it.

    This depends on your migration and what other domains and forests exist. In a simple, Domain to Domain inter-forest migration where there was never a trust between the domains, AND you do not migrate the SecurityDescriptors. You only need it to clean up sid history at the end of the migration. If you have trusting domains of the source domain that you plan to maintain the trust with the target domain, you will need ADPW to update the trusting domain's groups that contain source domain objects. Sid History does not address this access type. 

Children
  • Thank you 

    As I understand correctly, ADPW is for groups in foreign domain across a trust. It will updated the membership of the group based on the existing membership and the mapping data. i.e. Source\User will be Target\User.

    But the example given by Johnny is confusing me. As per his example, he mentioned that migration project involved migration from SOURCEDOM1 to TARGETDOM1.  Objects you migrate with migration sessions will have mapping entries in QMM's database like this:


    SOURCEDOM1\Fred --> TARGETDOM1\Fred

    So let's look at the members of domain local group in SOURCEDOM1:

    SOURCEDOM1\Fred

    DOM2\Sally

    DOM3\Michelle


    Assuming the scenario outlined above, ADPW will be able to update the membership of this group ONLY for SOURCEDOM1\Fred as QMM knows nothing about DOM2 and DOM3 users.

    So here is the confusing part. In the above example, there is no foreign domain group involved. It simply says that ADPW will update membership of the source domain local group by comparing existing membership and mapping entries in QMM's database. Kindly provide clarity on this.

    Does ADPW can process only domain local group membership only? 

    Does he mean that if source users still exist in source domain groups even after migrated to target domain, then I need to execute ADPW against source domain to update membership of those source groups - that contains those source users as members? Please comment on this.

     : Requesting your last reply on this and explain specific to above mentioned queries.

    Thanks in advance!

    Shawn