On a regular basis, top Microsoft executives answer readers' toughest technical questions about Windows-based systems. This installment of "Ask Microsoft" was answered by Brian Puhl, senior systems engineer, Microsoft IT, and Karan Vasishth, senior director, Microsoft IT.
To submit a technical question for consideration, send an e-mail to
Question: We plan to migrate our Windows 2000 Active Directory domain to a new Windows Server 2003 forest/domain. Currently, I plan to use ADMT to transfer AD objects to the new domain. How can I transfer over the file permissions on my servers after transferring them to the new domain? Most permissions are assigned to domain groups. What about other types of permissions, such as registry permissions, shared printer permissions and service permissions? We've done a lot of security hardening by restricting permissions and I don't want to lose that effort.
Answer: Managing resources that have already been permissioned is one of the most difficult aspects of migrating users from one forest/domain to another. Although you're still required to touch your resources to repermission them with the new information, we have done some things to make this transition easier. Depending on the migration, and how the users are permissioned, it may be possible to leave the migrated users in the existing groups (cross-domain or forest). More likely though, you'll need to enable SID history, which will allow a user to maintain their pre-migration security identifier (SID) after the migration. SID history, used in conjunction with SID filtering to increase security, are great tools but should be tested carefully in each environment before they are used. More information is available from the Windows Server 2003 Deployment Guide. -- Brian Puhl and Karan Vasishth