P+F : IDEAL Administration | IDEAL Dispatch | IDEAL Remote | IDEAL Migration | IDEAL Alerter | IDEAL Secure


FAQ : IDEAL Administration

Administración centralizada de dominios de Windows Active Directory y grupos de trabajo

Windows Active Directory object and security (ACL) migration

How to manage the SIDHistory attribute?

I wish transfer the old user and group SID during the migration with your IDEAL Migration tool. Like this, the migrated users will access to the old domain resources.

To do this, I want use the "SIDHistory" attribute.

How can this work? and is there some limitations?

When you migrate groups and users to Windows 2000/2003/2008/2012/2016 or 2019, new SIDs are created, and of course these newly created users can no longer access the resources on the old Windows Domain.

An new attribute named SIDHistory enables this problem to be resolved by associating the old SIDs with the new groups and users. This gives the new users access to the different resources.

The use of SIDHistory is optional and depends on your network administrator's migration strategy. In any case, its use must always be temporary.

Limitations to the use of SIDHistory

The use of SIDHistory requires prior verification and configuration of certain parameters, namely:

  • Configure the SID History dialog box in IDEAL Migration, only if your source domain is Windows 2000 or higher:
    • Use the right click on "IDEAL Migration on ...", then "Configuration", and last select "SID History" tab.
    • Fill all the asked information for the source and target domains.
  • IDEAL MIGRATION must be installed on a Windows 2000, Windows 2003, Windows 2008 or Windows 2012 server.
  • The user must belong to the "Domain admins" group in all managed domains (source and destination).
  • Source domain:
    • Check that the TcpipClientSupport key is present in the (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TcpipClientSupport) registry and set its value to REG_DWORD = 1. This requires the computer to be restarted in order for it to be taken into account.
    • Activate auditing of User and Group management: Success and Failure.
    • Create a local group whose name is the source domain's NetBIOS name with three dollar Signs appended (e.g., POINTDEV$$$)
  • Destination domain:
    • Activate auditing of User and Group management: Success and Failure.
  • The source domain can be a Windows NT or a Windows 2000, Windows 2003, Windows 2008 or 2012 domain.
  • The destination domain must be a Windows 2000, 2003, 2008 or 2012 domain in native mode.
  • Source and destination domains cannot be in the same forest.

READ: How to enable/disable filtering for SIDHistory management

 
También afecta al software siguiente: IDEAL Migration
Última modificación: 10/09/2019

Anterior
    
Siguiente

Back to the list of FAQs

 

Volver al principio de la página