Results 1 to 4 of 4

Thread: Sid history permission

  1. #1
    Edmond Guest

    Sid history permission

    Hi there,

    I've got a problem on the migration of w2k to w2k3 via ADMT. After trying
    migrate user account from w2k to w2k3. I can't access the w2k file server
    from a w2k3 workstaion. The error is "access denied". I've verify the Sid
    already migrate to w2k3 sid history attribute. Is it I misconfig anything?

    My steps lists:
    - set external trust between two site and verify/validate sucess
    - install admt v3 on target domain (w2k3)
    - set local security group called w2k$$$ (domain name) on source domain
    - set TcpipClientSupport on source domain regristry
    - set audit enable on both doamin
    - set PES services on source domain
    - migrate user account, enable user sid migrate

    Thanks for any idea.

    Edmond


  2. #2
    Tim Kalligonis Guest

    Re: Sid history permission

    Did you disable the SID filtering?

    If you go to the help in a MMC and search for "Disabling SID Filtering" you
    will find some good information. Here is a piece of it for you.

    Disabling SID Filtering
    Although it is not recommended, you can disable SID filtering for an
    external trust by using the Netdom.exe tool. You should consider disabling
    SID filtering only in the following situations:

    a.. You have the same level of trust for all administrators who have
    physical access to domain controllers in the trusted domain as the
    administrators in the trusting domain.
    b.. You have a strict requirement to assign universal groups to resources
    in the trusting domain that were not created in the trusted domain.
    c.. Users have been migrated to the trusted domain with their SID
    histories preserved, and you want to grant them access to resources in the
    trusting domain based on the SIDHistory attribute.
    Only domain administrators can disable SID filtering. To disable SID
    filtering for the trusting domain, type the following syntax at a
    command-prompt:

    Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
    /usero:domainadministratorAcct /passwordo:domainadminpwd

    To enable SID filtering, set the /quarantine: command-line option to Yes.
    For more information about Netdom.exe, see Active Directory support tools.

    You can enable or disable SID filtering only from the trusting side of the
    trust. If the trust is a two-way trust, you can also disable SID filtering
    in the trusted domain by using the domain administrator's credentials for
    the trusted domain and reversing the TrustingDomainName and
    TrustedDomainName values in the command-line syntax.

    Notes

    a.. To further secure your forest, you should consider enabling SID
    filtering on all existing external trusts that were created by domain
    controllers running Windows 2000 Service Pack 3 (or earlier). You can do
    this by using Netdom.exe to enable SID filtering on existing external
    trusts, or by recreating these external trusts from a domain controller
    running Windows Server 2003 or Windows 2000 Service Pack 4 (or later).
    b.. You cannot turn off the default behavior that enables SID filtering
    for newly created external trusts.
    c.. External trusts created from domain controllers running Windows 2000
    Service Pack 3 (or earlier) do not enforce SID filtering by default.
    d.. Domain controllers running Windows NT Server 4.0 do not take part in
    the trust creation process when existing domain controllers in the same
    domain are running Windows 2000 or Windows Server 2003.
    e.. You can enable or disable SID filtering only for trusts that extend
    beyond forest boundaries such as external and forest trusts. For more
    information about SID filtering and forest trusts, see Forest trusts.





    "Edmond" <Edmond@discussions.microsoft.com> wrote in message
    news:D1D20DDE-DE9A-4E44-B983-7BF9DA937D04@microsoft.com...
    > Hi there,
    >
    > I've got a problem on the migration of w2k to w2k3 via ADMT. After trying
    > migrate user account from w2k to w2k3. I can't access the w2k file server
    > from a w2k3 workstaion. The error is "access denied". I've verify the Sid
    > already migrate to w2k3 sid history attribute. Is it I misconfig anything?
    >
    > My steps lists:
    > - set external trust between two site and verify/validate sucess
    > - install admt v3 on target domain (w2k3)
    > - set local security group called w2k$$$ (domain name) on source domain
    > - set TcpipClientSupport on source domain regristry
    > - set audit enable on both doamin
    > - set PES services on source domain
    > - migrate user account, enable user sid migrate
    >
    > Thanks for any idea.
    >
    > Edmond
    >






  3. #3
    Edmond Guest

    Re: Sid history permission

    Thank, it's work. Then, I can move to next step to migrate all file server
    folder to new domain via sidwalk after migrate all user to new w2k3 domain.

    "Tim Kalligonis" wrote:

    > Did you disable the SID filtering?
    >
    > If you go to the help in a MMC and search for "Disabling SID Filtering" you
    > will find some good information. Here is a piece of it for you.
    >
    > Disabling SID Filtering
    > Although it is not recommended, you can disable SID filtering for an
    > external trust by using the Netdom.exe tool. You should consider disabling
    > SID filtering only in the following situations:
    >
    > a.. You have the same level of trust for all administrators who have
    > physical access to domain controllers in the trusted domain as the
    > administrators in the trusting domain.
    > b.. You have a strict requirement to assign universal groups to resources
    > in the trusting domain that were not created in the trusted domain.
    > c.. Users have been migrated to the trusted domain with their SID
    > histories preserved, and you want to grant them access to resources in the
    > trusting domain based on the SIDHistory attribute.
    > Only domain administrators can disable SID filtering. To disable SID
    > filtering for the trusting domain, type the following syntax at a
    > command-prompt:
    >
    > Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No
    > /usero:domainadministratorAcct /passwordo:domainadminpwd
    >
    > To enable SID filtering, set the /quarantine: command-line option to Yes.
    > For more information about Netdom.exe, see Active Directory support tools.
    >
    > You can enable or disable SID filtering only from the trusting side of the
    > trust. If the trust is a two-way trust, you can also disable SID filtering
    > in the trusted domain by using the domain administrator's credentials for
    > the trusted domain and reversing the TrustingDomainName and
    > TrustedDomainName values in the command-line syntax.
    >
    > Notes
    >
    > a.. To further secure your forest, you should consider enabling SID
    > filtering on all existing external trusts that were created by domain
    > controllers running Windows 2000 Service Pack 3 (or earlier). You can do
    > this by using Netdom.exe to enable SID filtering on existing external
    > trusts, or by recreating these external trusts from a domain controller
    > running Windows Server 2003 or Windows 2000 Service Pack 4 (or later).
    > b.. You cannot turn off the default behavior that enables SID filtering
    > for newly created external trusts.
    > c.. External trusts created from domain controllers running Windows 2000
    > Service Pack 3 (or earlier) do not enforce SID filtering by default.
    > d.. Domain controllers running Windows NT Server 4.0 do not take part in
    > the trust creation process when existing domain controllers in the same
    > domain are running Windows 2000 or Windows Server 2003.
    > e.. You can enable or disable SID filtering only for trusts that extend
    > beyond forest boundaries such as external and forest trusts. For more
    > information about SID filtering and forest trusts, see Forest trusts.
    >
    >
    >
    >
    >
    > "Edmond" <Edmond@discussions.microsoft.com> wrote in message
    > news:D1D20DDE-DE9A-4E44-B983-7BF9DA937D04@microsoft.com...
    > > Hi there,
    > >
    > > I've got a problem on the migration of w2k to w2k3 via ADMT. After trying
    > > migrate user account from w2k to w2k3. I can't access the w2k file server
    > > from a w2k3 workstaion. The error is "access denied". I've verify the Sid
    > > already migrate to w2k3 sid history attribute. Is it I misconfig anything?
    > >
    > > My steps lists:
    > > - set external trust between two site and verify/validate sucess
    > > - install admt v3 on target domain (w2k3)
    > > - set local security group called w2k$$$ (domain name) on source domain
    > > - set TcpipClientSupport on source domain regristry
    > > - set audit enable on both doamin
    > > - set PES services on source domain
    > > - migrate user account, enable user sid migrate
    > >
    > > Thanks for any idea.
    > >
    > > Edmond
    > >

    >
    >
    >


  4. #4
    Edmond Guest

    Admt agent failed to install

    Hi,

    Does any know what cause the below error when I start to install agent on
    translation security wizard?

    2008-02-11 17:19:11 The Active Directory Migration Tool Agent will be
    installed on w2k3svr1.w2003.local
    2008-02-11 17:19:24
    CopyFile(C:\WINDOWS\ADMT\\McsVarSetMin.dll,\\w2k3svr1.w2003.local\ADMIN$\OnePointDomainAgent\McsVarS etMin.dll)
    rc=32 The process cannot access the file because it is being used by another
    process.
    2008-02-11 17:19:24 ERR2:7006 Failed to install agent on
    \\w2k3svr1.w2003.local, rc=32 The process cannot access the file because it
    is being used by another process.
    2008-02-11 17:19:24 ERR2:7678 Unable to copy files to the remote machine.
    hr=0x80070020. The process cannot access the file because it is being used by
    another process.

    Thanks.

Similar Threads

  1. Replies: 3
    Last Post: 07-01-2014, 08:48 AM
  2. Replies: 3
    Last Post: 20-03-2011, 05:40 AM
  3. winamp keeps asking for permission
    By Savious in forum Windows Software
    Replies: 8
    Last Post: 16-03-2011, 04:36 AM
  4. No permission to install SP1?
    By Brian S. Longworth in forum Windows Server Help
    Replies: 7
    Last Post: 23-01-2011, 09:37 AM
  5. How to grant permission?
    By Roxy_jacob in forum Software Development
    Replies: 4
    Last Post: 16-12-2009, 01:56 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •