Article

Ask Microsoft: Transferring permissions during a migration

SearchWinComputing.com staff

On a regular basis, top Microsoft executives answer readers' toughest technical questions about Windows-based systems. This installment of "Ask Microsoft" was answered by Brian Puhl, senior systems engineer, Microsoft IT, and Karan Vasishth, senior director, Microsoft IT.

To submit a technical question for consideration, send an e-mail to

    Requires Free Membership to View

editor@SearchWinComputing.com .

Question: We plan to migrate our Windows 2000 Active Directory domain to a new Windows Server 2003 forest/domain. Currently, I plan to use ADMT to transfer AD objects to the new domain. How can I transfer over the file permissions on my servers after transferring them to the new domain? Most permissions are assigned to domain groups. What about other types of permissions, such as registry permissions, shared printer permissions and service permissions? We've done a lot of security hardening by restricting permissions and I don't want to lose that effort.


Answer: Managing resources that have already been permissioned is one of the most difficult aspects of migrating users from one forest/domain to another. Although you're still required to touch your resources to repermission them with the new information, we have done some things to make this transition easier. Depending on the migration, and how the users are permissioned, it may be possible to leave the migrated users in the existing groups (cross-domain or forest). More likely though, you'll need to enable SID history, which will allow a user to maintain their pre-migration security identifier (SID) after the migration. SID history, used in conjunction with SID filtering to increase security, are great tools but should be tested carefully in each environment before they are used. More information is available from the Windows Server 2003 Deployment Guide. -- Brian Puhl and Karan Vasishth


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: