ADPW usage question

Question

Hello Support Team, 
 I've general question related to usage of ADPW tool. 
 Question: If resource is secured with Source Domain Local groups only && Resource Server (Source domain) has been moved to Target domain, then do I still need to process Source Domain Local groups using ADPW in order to add the Target objects to the Source Domain Local groups? 
 Please answer and explain.

Jeff Shahan · Accepted Answer

To recap, the Server with the resources secured with source domain local groups has been moved to the target domain, do you need to update the membership of the source domain local groups? 
 NO. 
 Forgetting about migration for a minute. 
 
 If you were to change the domain membership of a server using source domain local groups to secure the resource, to the target domain, all domain local groups with display as SIDS for the resources. 
 If you created matching named domain local groups in the target domain, they will still be displayed as sids on the resources. (This is the same as Migration without sidhistory) 
 Now if you migrate the source domain local groups sids to the target domain Sidhistory, the groups would display as the target domain local group because of Sidhistory. 
 Now move it back to the source domain and all permissions now resolve as the source domain local groups. 
 
 So ADPW has several functions. 
 
 Updated Permissions Local Group Membership 
 Remove Sid History 
 
 support.quest.com/.../11 
 This is from the next page of the documentation 
 Generally, if you want the new users to have the same level of access as the old users after Active Directory migration, you need to run Active Directory Processing Wizard (ADPW) in all domains where the old users had specifically configured access rights. This is as good as obligatory in most Active Directory migrations, at least for the initial transition period. 
 The following are examples of activities that you may need to perform in ADPW to restore users' resource access levels: 
 Add target users to source groups This is the most common operation for ADPW. 
 So in your case, the server has been moved to the target domain, the source domain local groups no longer control access to the target joined server.

Jeff Shahan · Answer

So Network Attached Storage (NAS) hosts are normally based on some type Unix/Lynx host. So they are really not "Members" of a domain and follow MS standards. I have seen a IBM NAS only allow permissions from the joined domain. I have see NetApp only resolve sidhistory to one domain. So you will have to dig into the documentation or the support personal from Dell. 
 wagner ryan my said: Question: So Sid resolution to Security name depends on : Direction of Trust as well as domain membership of the host from where permission is checked? does it also depend on domain membership of servers where resource is hosted? How does Sid resolution to Security Principal name works if Server membership has been changed from source domain to target domain? Please explain. 
 For a Windows host yes, for a NAS server, it depends. 
 There were 3 questions in that, the above is the answer to them all. Really you should process the NAS with RUM (UI version) or VMover (command line version) to append or replace the source ACEs in the ACLs with Target groups/user. AS we have said before, SidHistory is a crutch at some point you need to remove sidhistory.

Former Member · Answer

I am glad that our products are working well in your environment. with that said, may I remind you that forums are not only answered by engineers but by other members of our community as well. and they also post questions that need answers as well. 
 Since it is organic, the response time will take up to 48 hours. I appreciate your understanding and your patience when asking the questions. We are glad to reply to your questions which will be replied to as soon as one of our engineers has an opportunity to do so. 
 have a good day and enjoy the community.

ADPW usage question

Top Replies