Ask Microsoft: Transferring permissions during a migration

Experts from Microsoft's internal IT organization offer advice on how to manage previously permissioned resources during a migration from Windows 2000 to Windows Server 2003.

On a regular basis, top Microsoft executives answer readers' toughest technical questions about Windows-based systems. This installment of "Ask Microsoft" was answered by Brian Puhl, senior systems engineer, Microsoft IT, and Karan Vasishth, senior director, Microsoft IT.

To submit a technical question for consideration, send an e-mail to editor@SearchWinComputing.com .

Question: We plan to migrate our Windows 2000 Active Directory domain to a new Windows Server 2003 forest/domain. Currently, I plan to use ADMT to transfer AD objects to the new domain. How can I transfer over the file permissions on my servers after transferring them to the new domain? Most permissions are assigned to domain groups. What about other types of permissions, such as registry permissions, shared printer permissions and service permissions? We've done a lot of security hardening by restricting permissions and I don't want to lose that effort.


Answer: Managing resources that have already been permissioned is one of the most difficult aspects of migrating users from one forest/domain to another. Although you're still required to touch your resources to repermission them with the new information, we have done some things to make this transition easier. Depending on the migration, and how the users are permissioned, it may be possible to leave the migrated users in the existing groups (cross-domain or forest). More likely though, you'll need to enable SID history, which will allow a user to maintain their pre-migration security identifier (SID) after the migration. SID history, used in conjunction with SID filtering to increase security, are great tools but should be tested carefully in each environment before they are used. More information is available from the Windows Server 2003 Deployment Guide. -- Brian Puhl and Karan Vasishth

Dig deeper on Windows Server Monitoring and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close