trust, sidhistory and workstation related questions

Hi,

As per discussions in earlier post, workstation criteria matters in authentication as long as there is trust from source domain to target domain and target user want to login on source domain joined workstation. However, with same trust direction (Source -> Target) if target user want to login on target domain joined workstation then trust plays no role in authentication. So as I understand correctly, workstation domain membership matters in authentication with respect to only presence of trust and trust direction criteria. So it means workstation domain membership does not matter independently. 

Related question with respect to Trust and Sidhistory

Question: 

Part1: I read Quest support article and it was mentioned that in order to migrate Sidhistory, trust is mandatory from source domain to target domain. what is the technical reason behind that? Migrating sidhistory does not need to disable sid filtering or quarantine settings of the trust at first place. Am I right?


Part 2: Suppose there is trust from source -> target. Assuming no sidhistory so If newly created target user is member of source domain local group, want to access resource (ACL with source domain local group), then I don't need to care about sid filtering or quarantine settings of the trust in this scenario. I mean there is no need to disable sid filtering or quarantine settings of the trust in this scenario. Am I right?

It means that disabling sid filtering or quarantine settings is only required incase of accessing resources using ONLY sidhistory (not target user SID) across the trust. Am I right? It means direction for a one-way trust to support sidhistory access to resources on source domain joined servers is always opposite to the trust direction. Am I right?

Looking forward to prompt reply.

Top Replies

Parents
  • Part1: I read Quest support article and it was mentioned that in order to migrate Sidhistory, trust is mandatory from source domain to target domain. what is the technical reason behind that? Migrating sidhistory does not need to disable sid filtering or quarantine settings of the trust at first place. Am I right?

    Technically, MMAD can migrate sidhistory without a trust. It just would not add any real value without a trust. The Source domain must be trusting or the target domain (trusted). Again, you don't "have to" disable sid filtering or quarantine setting. But again, then sidhistory adds not real value.  So in short the tool as write sidhistory without a trust or sidfiltering/quarantine setting, but what value does it add?

    Part 2: Suppose there is trust from source -> target. Assuming no sidhistory so If newly created target user is member of source domain local group, want to access resource (ACL with source domain local group), then I don't need to care about sid filtering or quarantine settings of the trust in this scenario. I mean there is no need to disable sid filtering or quarantine settings of the trust in this scenario. Am I right?

    Correct. Target users is a member of the source group that controls access to the resource. Access granted, no sidhistory needed. But if you move the server to the target, access will be denied. 

Reply
  • Part1: I read Quest support article and it was mentioned that in order to migrate Sidhistory, trust is mandatory from source domain to target domain. what is the technical reason behind that? Migrating sidhistory does not need to disable sid filtering or quarantine settings of the trust at first place. Am I right?

    Technically, MMAD can migrate sidhistory without a trust. It just would not add any real value without a trust. The Source domain must be trusting or the target domain (trusted). Again, you don't "have to" disable sid filtering or quarantine setting. But again, then sidhistory adds not real value.  So in short the tool as write sidhistory without a trust or sidfiltering/quarantine setting, but what value does it add?

    Part 2: Suppose there is trust from source -> target. Assuming no sidhistory so If newly created target user is member of source domain local group, want to access resource (ACL with source domain local group), then I don't need to care about sid filtering or quarantine settings of the trust in this scenario. I mean there is no need to disable sid filtering or quarantine settings of the trust in this scenario. Am I right?

    Correct. Target users is a member of the source group that controls access to the resource. Access granted, no sidhistory needed. But if you move the server to the target, access will be denied. 

Children
No Data