I have recently completed the migration of users from a mixture of NT and Novell Directory Services (NDS) to Active Directory (AD). It has been reported that some users are being prompted for authentication when attempting to access intranet resources. On investigating the migrated Global Groups, which govern access to the intranet resources, it has been found that all the users are displayed as grayed-out users -- these user accounts are active/enabled and being used to log into the Win2k domain. Any ideas?
This may be a ramification of the migration. When moving to AD, depending on what tool you used, the resulting groups and users have SIDHistory Attributes added. This means that the old NT SID is actually attached to the group or users as another group or user membership. When you examine the group or user in an Access Control List (ACL), like on a file, you will see the name of the Windows 2000 group -- but it really may be the NT 4.0 SID that is in the group. Post-migration, you need to ensure that all group memberships and ACLs are cleaned up and reference the appropriate user account. Then, using ADSI Edit, you can search for the SIDHistory attribute in the user/group objects and remove it. The deployment guide from the resource kit and the Microsoft Training Kit for the Migration Text (I believe it is 70-222) also has this information.
This Content Component encountered an error
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.