When you migrate groups and users to Windows 2000/2003 or 2008, new SIDs are created, and of course these newly created users can no longer access the resources on the old Windows NT servers.
An new attribute named SIDHistory enables this problem to be resolved by associating the old SIDs with the new groups and users. This gives the new users access to the different resources.
The use of SIDHistory is optional and depends on your network administrator's migration strategy. In any case, its use must always be temporary.
Limitations to the use of SIDHistory
The use of SIDHistory requires prior verification and configuration of certain parameters, namely:
- IDEAL MIGRATION must be installed on a Windows 2000/2003 or 2008 computer.
- The user must belong to the "Domain admins" group in all managed domains (source and destination).
- Source domain:
- Check that the TcpipClientSupport key is present in the (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TcpipClientSupport) registry and set its value to REG_DWORD = 1. This requires the computer to be restarted in order for it to be taken into account.
- Activate auditing of User and Group management: Success and Failure.
- Create a local group whose name is the source domain's NetBIOS name with three dollar Signs appended (e.g., POINTDEV$$$)
- Destination domain:
- Activate auditing of User and Group management: Success and Failure.
- The source domain can be a Windows NT or a Windows 2000/2003 or 2008 domain.
- The destination domain must be a Windows 2000/2003/2008 domain in native mode.
- Source and destination domains cannot be in the same forest.
READ: How to enable/disable filtering for SIDHistory management
