Hello Jeff Shahan
Q1: As per https://activedirectoryfaq.com/2016/09/domain-migration-access-denied-group-type-change/ it says to keep authorization group "domain local" in source environment. Then the types would be identic on both domains. So my question is if target equivalent migrated group is also "domain local" then how accessing resources on source domain will work for members of migrated target domain local group (having sid of source domain local group under sidhistory attribute) because access token will not be able to cross trust boundary? Access should also be working if group scope is not identical that's why changing target domain local to target global group will allow the token to cross trust boundary. Please let me know if I missed anything or did not understand correctly. Please explain the scenario mentioned on above mentioned article.
Q2: Resources resides on servers in source domain. Source domain local groups are applied in resource ACL. During migration, servers have been moved from source domain to target domain. Those source domain local groups have also been migrated to target domain without sidhistory. Scope of the migrated group in target domain is "Global". Migrated target group (scope: Global) is nested inside source domain local group. If I add newly created users (in target domain) under migrated target group(scope: Global), then will those users will be able to access resources through migrated target group membership (as sidhistory isn't migrated)? If yes, does it mean that access token of those users contains Sid of migrated target group as well as Sid of source domain local group?
Kindly answer above mentioned questions and provide explanation. Looking forward to prompt reply.
Thanks in advance!