Description
SID History is an attribute of an Active Directory Object. When an object is migrated from one domain to another, a new SID is assigned to the migrated object and SID History attribute (a multivalued container) will store all previous SIDs.
Scenario:
ScriptLogic\jbrown has access to the techsupport share on prod.scriptlogic.com. He is subsequently migrated to quest.com and given a new SID. There is a Transitive Trust between scriptlogic.com and quest.com, but if the ADMT Security Translation Wizard was not used to migrate the profile, quest\jbrown will receive access denied when he tries to access the techsupport share on prod.scriptlogic.com.
Resources in each domain resolve ACL to SIDs and then checks for matches between their ACLs and the user’s access token when granting or denying access. If the SID does not match it checks the SID history and if it matches, access to the resource is granted or denied, according to the access specified in the ACL.
Best Practice:
Microsoft recommends using local groups to manage permissions on a server, then adding the Global group to the local groups for the Discretionary Access Control (DACL)
SID History Option:
If the SID History option was enabled when migrating local groups with Secure Copy, the ACL for the local group on the new domain is updated with the previous SIDs and the SID History Cleared.Assisting Other Migration Tools:
Assuming the Global groups were previously migrated with the user, when he logs on to the new domain, both the new SID and the original SID from the SID history attribute are added to the access token of the user, they will determine the local group memberships of the user. The SIDs of the groups in which the user is a member are then added to the access token, together with the SID history of those groups.
In a perfect world the Active Directory Migration Tool (ADMT) would handle the Security Translation when migrating the profiles, so it would not be necessary to use the SID History option in Secure Copy.
© ALL RIGHTS RESERVED. Feedback Términos de uso Privacidad Cookie Preference Center