• State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 21 subscribers
  • Views 12766 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migrate SID history with granular permissions

DJ
over 6 years ago

I've been trying to figure out for a couple of days why SID history won't migrate from source to target. I'm using the granular permissions scenario from the Granular Account Permissions document (https://support.quest.com/technical-documents/migration-manager-for-ad/8.14/granular-account-permissions/2#TOPIC-730096) but I still get insufficient access rights and the SID history is not updated in the target. I even gave the target QMM service account full control permissions on users, computers and groups on the target OU. That same service account is a domain admin in the source domain (the target domain has more stringent security requirements). 

I followed the step listed and enabled the agentless SID history script to no avail, updated the audit policies and access rights for DCs based on the info in the doc. Still everything works except SID history. What am I missing here?

  • 0 over 6 years ago
    I have got the same issue and actually i am running windows 2008 R2 server both for source and target domain and i did this it actually fixed the issue
    Here are the steps:-
    run below command from a command prompt:

    netdom trust source.com /domain:target.com /enablesidhistory:yes

    netdom trust target.com /domain: source.com /enablesidhistory:yes

    netdom trust target.com /domain:source.com /quarantine:No

    netdom trust souce.domain /domain:target.com /No

    After establishing the trust you need to make sure the SIDFiltering is disabled

    Let me know how it goes. After this migrate a user account or right click on existing user migration session and perform it again and this time select merge option (if you have you selected never merge skip option first)

    Hope this answers you question,
    thank u.
  • 0 over 6 years ago
    So in case anyone else runs into this problem, the fix was actually quite simple. The one thing I neglected to do was to grant the QMM service account the right to migrate SID history. This is set in ADUC at the domain level and for "this object only".