When merging or replacing security descriptors in DACL (Discretionary Access Control List) or SACL (System Access Control List) during migration or synchronization, are the accounts (SIDs) added from the source or target domain? Does QMM translate the accounts from the source security descriptor to the matching target accounts?
When merging or replacing security descriptors, source SIDs are added, QMM will write the source domain object's SID into the target object's security descriptor (without translating).
If you wish to update source SIDs to the target SIDs, you have to use Active Directory Processing Wizard, and select "Reassign Group Membership and object permissions to target users". For the best performance, select only "Process Permissions" on the "Processing Options" page. Please also note that ADPW should be used before the source domain is decommissioned. Otherwise, the source accounts will appear as unresolved SIDs when viewing permissions in target AD.
IMPORTANT: If Security Descriptor migration logic is set to Merge or Replace, DSA will copy all SIDs in the DACL/SACL of AD object regardless if they were migrated or not. As a result many undesired object SIDs from the source may be copied into Security Descriptors of the target AD. This does not extend to the Domain Global groups which can only exist within the scope of single domain unlike Domain Local Groups. Please consider this when planning migration.