Resource Update Manager (RUM) was used to process a workstation/server.
Now it has been noticed that if there was for instance a file share which was re-permission by RUM (with the Distributed Resource Update Manager setting "Leave source accounts' permissions" set) then, when you check the file permission security on the file share, it shows as the AD account being given permissions twice to the same resource as opposed to the source and the target account.
When logging back into the source domain the accounts in the security permissions are resolved as expected, one for the source domain user and one for the target domain user.
Is this behaviour normal?
To see two identical entries when logging into the target domain is expected, in fact these duplicates are two different accounts, source user and target user accounts, both have rights on resources.
This happens because of SID history attribute.
Microsoft confirms in KB article 307521 "An access control entry may seem to be displayed incorrectly with the SIDHistory attribute":
This could be explained this way: when querying for user names on a machine which is in target domain then the target DC is queried and he "knows" the SID of target user and displays it as target user name. When we look up the SID history the DC immediately finds (matches) this SID history attribute to target account and displays it as target user.
Using SID history is a temporary solution, as soon as migration has been done and transition period is over all Admins decide to run clean up and remove the SID history so all the "duplicates" will disappear.
Next step would be to use RUM again and execute it with the checkbox "Leave source accounts' permissions" unselected, this should remove source accounts permissions.
Quest has an article SOL16237 which contains an explanation.
Similar behavior occurs with user profiles: after a user profile has been updated there are two identical profiles on the workstation, but this is not necessary due to the SID history. In fact there is one single profile but two registry entries for two different users pointing to the same existing profile.
IMPORTANT: if you delete one of these "duplicates" you will loose the profile, both profiles will disappear and you will not be able to recover the profile.