SS Technology Forum
Not logged in [Login ]
Go To Bottom

Printable Version  
 Pages:  1  2
Author: Subject: Re-ACL ing
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/16/2011 at 06:22 AM
Re-ACL ing


Santhosh,
I have a user old\sudha who has \\new-svr\sudha as a home share configured (\\new-svr is part of domain "NEW") and granted rights to old\sudha user. I am migrating the user old\sudha to new\sudha, with SID history enabled, and sure the user will have access as the SID hsitory carried to the new user object. My question here is when the OLD domain decommissioned, do we need to run re-acl on \\new-svr? or dont need to?..and what is the process for SID history cleanup. Please explain me, Thanks
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/16/2011 at 08:32 AM


Hi Sudhakar – I moved your question to a new thread.



Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/16/2011 at 08:36 AM


>>> I have a user old\sudha who has \\new-svr\sudha as a home share configured (\\new-svr is part of domain "NEW") and granted rights to old\sudha user

Since share is in the target domain, why can’t you assign permission using the migrated account instead of source account?


>> here is when the OLD domain decommissioned, do we need to run re-acl on \\new-svr?
If you are using source user account or source group, Yes you need to re-ACL the resource. You will lose access when you remove the SIDHistory.

>>> what is the process for SID history cleanup.
http://support.microsoft.com/kb/295758





Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/16/2011 at 10:16 AM


Thanks Santhosh..
>>> I have a user old\sudha who has \\new-svr\sudha as a home share configured (\\new-svr is part of domain "NEW") and granted rights to old\sudha user

Since share is in the target domain, why can’t you assign permission using the migrated account instead of source account?

The server \\new-svr\sudha, is not a new server, I quoted that way, but the server and share is old, and they existed for long time in the domain called "NEW" and we granted permission to OLD\sudha...Now since the user being migrated to the same domain as the file server....now the accessis intact by SID history...what happens after the domain "OLD" gets decommissioned.
Now the share shows granted access as to OLD\sudha , what happens after the domain gets decommissioned?
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/16/2011 at 12:17 PM


>>> what happens after the domain "OLD" gets decommissioned.
Technically nothing. Because old SIDs are still associated with the share. And the migrated user account has SidHistory so the Access Token contains ObjectSID + SIDHistory. However, if you don’t have the source domain, you will see SID instead of user name on share permission.

But if you remove the SIDHistory, you will get access denied. Because your Access Token contains only target ObjectSID. But the share permission is granted using source ObjectSID.

Please let me know if you need more clarification.




Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/17/2011 at 05:52 AM


Thanks..So if I remove source domain, the SID will be shown instaed of old\sudha on the share which is not good. So get rid of this situation, we need to run security translation correct?,,Can the security translation run on a server which is already existing in the NEW domain which is not migrated from source domain as this server setup on the new domain itself?
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/17/2011 at 07:56 AM


>>So if I remove source domain, the SID will be shown instaed of old\sudha on the share which is not good
If you remove source domain and share is in the target domain, the share permission will show SID instead of user friendly name. Re-ACL process will replace old user account with new one. You can perform Security Translation event if you don’t have source domain. You can you SID Mapping file.
http://portal.sivarajan.com/2011/04/admt-sid-mapping-file-generatio...

>>>Can the security translation run on a server which is already existing in the NEW domain which is not migrated from source domain as this server setup on the new domain itself
Technically Yes. Did you manually assign the permission using the old user account?




Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/17/2011 at 09:00 AM


Yes, I did manually assign the access to the share on new domain to old domain users...Since our environment is big, and we dont know how many resources on NEW domain has been granted access to OLD domain users, we will be having this re-Acl challenge...Do you think, If I run security translation on all file servers in our environment on NEW domain will resolve this issue?..If we use same master workstaion for Re-ACL which we used for user migration, we can do Security translation on NEW domain servers from it and no SID mapping file generation needed correct?
View user's profile
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/17/2011 at 09:20 AM


I did Re-ACL of one of the file server where we had access granted to OLD\sudha and this ID now migarted to NEW domain...But still the ACL of the share shows as OLD\sudha. When I ran the Security translation, I chose File&folders, and shares check boxes nothing else. The log showed no changes done, but the agent sent the txt file for SID with the user I migrated. No idea whats happening.
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/17/2011 at 09:40 AM


Did you migrate this user - OLD\sudha using ADMT? And did you select “Add” option?



Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/17/2011 at 09:45 AM


Yes, it did. The user NEW\Sudha did carry the SID from OLD and added to his SIDHistory attr..Also this is intraforest migration so by default the SID transfer is checked and greyed. SID History shows below:
sidhistory
?§1-5-21-3170837208-2782547099-45686881-6174
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/17/2011 at 11:13 AM


Try to perform Security translation using a SID Mapping File. You can manually create this using the SID and user name.
http://portal.sivarajan.com/2011/04/admt-sid-mapping-file-generatio...

Use the following entry in the SID mapping file.
1-5-21-3170837208-2782547099-45686881-6174, NEW\Sudha




Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/17/2011 at 03:09 PM


Hmm..interesting Santhosh. This is intra-forest migration from domain "OLD" to domain "NEW", where the user OLD\sudha has his home share on \\new-svr\sudha which is in domain "NEW". I used MDMT 2.0 to migrate the user which did without any issues, and source account automatically vanished ane new account created on domain "NEW". I kept on checking the home share permission using rmtshare command against the share and witnessed that it changed automatically after at least 15 mins.

So, no need to worry about re-ACL for this scenario? if resource is already in new domain which had access granted to old domain?..it is windows 2003 forest and forest & domain functional levels are 2003.

H:\Tools>rmtshare \\new-svr\sudha
Share name \\new-svr\sudha
Path D:\Temp\sudha
Remark
Maximum users No limit
Users 0
Permissions:
OLD\sudha : CHANGE
The command completed successfully.

H:\Tools>rmtshare \\new-svr\sudha
Share name \\new-svr\sudha
Path D:\Temp\sudha
Remark
Maximum users No limit
Users 0
Permissions:
NEW\sudha : CHANGE
The command completed successfully.
View user's profile
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/17/2011 at 03:11 PM


But, If I got to the server \\new-svr and check the ACL for the share, it shows as OLD\sudha only. No idea.
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/17/2011 at 04:35 PM


The key point here is “Intra-forest” migration.
>>source account automatically vanished ane new account created on domain "NEW".
Yes that is part of “intra-forest” migration. It is a move operation not a copy.

Sometimes you will see migrated account name due to SID translation. If you are really seeing the NEW user name, you don’t need to perform Security Translation. Validate this first.




Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/17/2011 at 04:36 PM


>> But, If I got to the server \\new-svr and check the ACL for the share, it shows as OLD\sudha only. No idea.
Yes. It is the SID translation not actual target account.

Try this command from a source, non-migrated computer. You will only the source account info.




Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/17/2011 at 08:44 PM


Even subinacl command shows new\sudha granted for \\new-svr\sudha..
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/18/2011 at 12:40 PM


Try that command from a non-migrated source server. As I mentioned it could be due to SID translation. I am not sure.



Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/18/2011 at 01:33 PM


I ran the rmtshare command from source DC towards this share \\new-svr\sudha , and it shows NEW\sudha have access to the share.
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/18/2011 at 02:31 PM


Not sure. If you are not seeing any issues, you can leave it there.



Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 8/18/2011 at 03:18 PM


Yeah...I will know how this will behave when I decommission OLD domain...Lets see. We are planning to do the intra-forest migration soon, and thats why the testing is for. We have users and desktops need to be migrated to new domain in same forest...Computer migration is smooth, no issues. We are checking this user migration and group migrations and the ACL's of resources. Thanks for your inputs Santhosh.
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 8/19/2011 at 01:38 PM


You don’t have to shut down the source domain to test this. You can disable Network access: Allow anonymous SID/Name translation setting in the Domain Controllers GPO.

Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options.

If it is from source domain, you will see SID instead of user name.




Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 9/6/2011 at 11:28 AM


Santhosh, Somewhere can you check and advise me, if we need to do reACL on resources for following scenario?
Domain A has resources and Users, Domain B has some users, both the domains are under same forest called "NET". We are planning to migrate the domain B to Domain A, so this is intra forest migration. Do we need to run reACL on all resources/server on Domain A?
View user's profile
Santhosh Sivarajan
Super Administrator
*********




Posts: 299
Registered: 6/29/2009
Location: USA
Member Is Offline


[*] posted on 9/6/2011 at 12:18 PM


In general, Yes. The permission is associated with domaina\usera you need to change (re-acl) it to domainb\usera



Santhosh Sivarajan, Microsoft MVP-Directory Services

http://blogs.sivarajan.com/
http://portal2.sivarajan.com
http://twitter.com/santhosh_sivara
http://www.linkedin.com/in/sivarajan

This posting is provided AS IS with no warranties,and confers no rights.
View user's profile Visit user's homepage
rsudhakar
Junior Member
**




Posts: 15
Registered: 8/15/2011
Member Is Offline


[*] posted on 9/6/2011 at 12:34 PM


I ran reACL using ADMT on a server in DomainA, but it didnt find any changes to be applied..I used same ADMT to migrate th e user from domainB to DomainA who has granted access to the share on a server in DomainA. As I mentioned earlier, the access list on the server automatically changed to domainB...But some tools doesnt reflect the same.
View user's profile
 Pages:  1  2

  Go To Top

Powered by XMB
Powered by SiteGround Web Hosting

XMB Forum Software © 2001-2009 The XMB Group
[Queries: 16] [PHP: 63.3% - SQL: 36.7%]