none
sid history fileserver resource access via ad groups access denied

    Question

  • hi

    we plan to migrate our root domain/sub domain setup to one central ad forest

    we want to use sid history to access shares in the old forest from new forest

    atm the shares are configured:

    FileShareA:

    Domain Admins -> Full Access
    System -> Full Access
    AD Group with Users -> Change

    We did a Test and created a new User in the New Forest and added the SID of a User from Source Forest to the Sidhistory Field...

    The Source User is in many AD Groups to Access different Shares in the Source Forest, but the Target Forest User cannot Access these Shares "gets Access Denied"

    If we put the Source User direct on a Share without a AD Group the Access works from the Target User using Sid History.

    Now the Question is does Sid History works with Ad Groups on Resources? i tryd all Scopes Local,Global,Universal it doesnt matter only when i add the User direct to the Share it works.

    thanks

    harald

    Monday, November 21, 2016 2:27 PM

All replies

  • > AD Group with Users -> Change
     
    In your new forest, the user must be a member of a group that has the
    "old" group SID in its SID history.
     
    And be aware of token bloat :)
     
    Monday, November 21, 2016 2:45 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, November 25, 2016 8:05 AM
    Moderator
  • >>>Now the Question is does Sid History works with Ad Groups on Resources?

    Simple answer - Yes. Make sure SID History is enabled and SID Filtering is disable on domain trust.  


    Santhosh Sivarajan | Houston, TX | www.sivarajan.com
    ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA

    My Books: | Windows Server Security | Windows Server 2012

    Blogs | Twitter | LinkedIn | Facebook|

    This posting is provided AS IS with no warranties, and confers no rights.

    Sunday, November 27, 2016 2:25 AM
    Moderator