It is good practice to disable the source accounts at this stage and thus make sure that all users are logging on with their target accounts. We recommend that before you take this step, you wait some time to make sure that all users are already using their target accounts.
After the distributed resources and BackOffice servers have been processed, enable SID filtering between the source and the target domains.
After SID filtering is enabled, wait some time to ensure that all target users can access the resources they used before the migration. If after enabling SID filtering some users cannot access the resources, turn SID filtering off, process any skipped resources, and turn it on again.
We recommend you enable SID filtering prior to SIDHistory cleanup to verify that all resources were re-permissioned correctly and users can access resources with their target accounts not using SIDHistory.
Refer to the SID Filtering topic for the procedures on how to enable SID filtering.
SIDHistory cleanup is done by Active Directory Processing Wizard, which is started from Migration Manager.
|
CAUTION: Changes have probably been made to permissions, service accounts, group membership, etc. on resources since resource processing was last executed. We recommend you update distributed resources and BackOffice servers one more time before you clean up SIDHistory to make sure that all permissions, service accounts, and group membership are up to date. |
|
NOTE: If after SIDHistory cleanup some users cannot access the resources, SIDHistory can be re-applied back to the accounts that lost access only by re-migrating and merging the accounts. This will give you time to check whether the resources were processed correctly for these accounts, fix the problem, and clean up SIDHistory again. However, by turning on SID filtering with users losing access to resources it is much easier to disable SID filtering and process resource skipped than it is to restore SIDHistory. |
After SIDHistory is cleaned up, wait some time to ensure that all target users can access the resources they used before the migration.
Cleanup of legacy account permissions is performed by the same wizards used to update resources.
Cleanup is hard to undo, so it is recommended that you clean up permissions only when you are sure that all users are using their target accounts for all applications and have no problems accessing resources.
© ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center