How access is granted by source domain local group in target domain resource permission ACL (via migrated group membership or via sidhistory or both) and how exactly access check is performed?

Hello,

I've source domain local group applied on resource ACL. Resource have been migrated to target domain server along with ACL permissions as-is. Source domain local group have also been migrated to target domain using sidhistory and scope has been converted to Global group in target domain. This migrated global group (having sid of source domain local group in sidhistory attribute) is nested inside source domain local group as well. So if I add newly created user in migrated global group, then user is able to access resource.

So my question is how access is granted to user because source domain local group will not be recognized in target domain (as authorization scope is limited to the domain where it's created)?

Is this because of the fact that user's token containing sid of source domain local group in sidhistory attribute will be compared to source domain local group applied on resource ACL? But how source domain local group will be recognized while access check (because of authorization scope is limited to source domain only)?

OR

Is this because of the fact that migrated global group is nested inside source domain local group which is applied on resource ACL? Does access check is performed against migrated global group directly by ignoring source domain local group? Does access check is also performed against nested group which is not directly applied on resource ACL?

Kindly answer and explain technically specific to mentioned points in above scenario. Please explain also how exactly access check is performed in this scenario OR in general.

Parents Reply
  • I have been trying to get both you and   to stop talking about tokens. That is just making this harder to understand. 

    Target Server
    Target Server has a resource with the SID of S-1-5-21-1-1-1-1001 with target global group as a member with a SID of S-1-5-21-2-2-2-1004 . The target user is a member of a global group with a sid of of S-1-5-21-2-2-2-1004 and with sidHistory of S-1-5-21-1-1-1-1001. Access is granted. The global group being a member of the source domain local group plays no role in accessing this object. 

    Target Server no sid history
    Target Server has a resource with the SID of S-1-5-21-1-1-1-1001 with target global group as a member with a SID of S-1-5-21-2-2-2-1004. The target user is a member of a global group with a sid of of S-1-5-21-2-2-2-1004. Access is Denied. The domain local group exists in the source and the server is a member of the target. The source domain local group membership is never evaluated. 

    Target Server AND No group scope change AND no sid history.
    Target Server has a resource with the SID of S-1-5-21-1-1-1-1001 on ACL. The target user is a member of a target domain local group with a SID of S-1-5-21-2-2-2-1004 and with sidHistory of S-1-5-21-1-1-1-1001. Access is Granted. The target domain local group membership sid history grants the access. Source users that remain in the source will NOT have access as the source domain local group membership does not cross the trust boundary. Resolution, only move the source servers to the target after all users a migrated. 

    Source Server 
    Source Server has a resource with the SID of S-1-5-21-1-1-1-1001 on ACL. The source domain has a local group with a SID S-1-5-21-1-1-1-1001 with the target domain global group as a member with a SID of  S-1-5-21-2-2-2-1004. The target user is a member of a global group with a sid of of S-1-5-21-2-2-2-1004 and with sidHistory of S-1-5-21-1-1-1-1001. Access is granted. As you can see access is granted by both the sidhistory of the target domain global group AND the Target global group membership in the source domain local group. 

    Source Server AND no sidhistory; 
    Source Server has a resource with the SID of S-1-5-21-1-1-1-1001 on ACL. The source domain has a local group with a SID S-1-5-21-1-1-1-1001 with the target domain global group as a member with a SID of  S-1-5-21-2-2-2-1004. The target user is a member of a global group with a sid of of S-1-5-21-2-2-2-1004. Access is granted. As you can see access is granted by the target domain global group membership in the source domain local group.

    Source Server AND No group scope change AND no sidhistory
    Source Server has a resource with the SID of S-1-5-21-1-1-1-1001 on ACL. The source domain has a local group with a SID S-1-5-21-1-1-1-1001. The target user is a member of a target domain local group with a sid of of S-1-5-21-2-2-2-1004. Access is denied. The domain local group membership does not pass the trust boundary. Resolution, process source domain local group with QMM AD's Active Directory Processing Wizard to append the target user as members of the source groups

    Source Server AND No group scope change w/sidhistory
    Source Server has a resource with the SID of S-1-5-21-1-1-1-1001 on ACL. The source domain has a local group with a SID S-1-5-21-1-1-1-1001. The target user is a member of a target domain local group with a sid of of S-1-5-21-2-2-2-1004 with the SID history of S-1-5-21-1-1-1-1001. Access is denied. The domain local group membership does not pass the trust boundary. Resolution, process source domain local group with QMM AD's Active Directory Processing Wizard to append the target user as members of the source groups

     

Children
No Data