none
Sid History with Three domains (user accessing resource domain after user domain changed via ADMT)

    Question

  • I have the Following scenario

    Domain A (2003), Resource Domain. (forest trust to domain A)

    FolderA has a Domain local group FolderAusers used to apply permissions

    Domain B (2008 R2), user domain (forest trust to domain A, external trust to domain C)

    Universal group FolderAusers which is a member of the FolderAusers domain local group in Domain A

    Lets say we have a users call UserA who is a member of the above group and can access FolderA on the server in Domain A

    ----

    Domain C has been introduced (external trust to domain B), UserA has been migrated to this domain using ADMT and sid history has been migrated.

    Sid filtering is disabled on all trusts

    UserA who is now in Domain C can access resources on Domain B fine using sid history but they can no longer access FolderA in DomainA

    I guess the problem here is that FolderA in domain A does not have UserA's SID on its ACL and doesnt know to check it against its group memberships

    ----

    How can I get this configured so that UserA can access the folderA in domain A from his domain C account?

    this is part of a wider excercise so any solution needs to be as simple as possible, the ideal would be that there is someway to force windows to check the users SID history against the applied security groups? I think due to organisational restrictions we wont be able to re-ACL the files in domain A.

    Thanks in advance!



    • Edited by Lordy Wednesday, January 30, 2013 9:05 PM added trust details
    Wednesday, January 30, 2013 9:03 PM

Answers

  • In addition,

    If you are using enterprise admin right you no need to put the user name & password with the netdom command.see below.

    Contoso.com is the trusting domain & GS is the trusted domain.

    Netdom trust contoso.com/domain:gs.com/enableSIDhistory:yes   (Forest trust)

    Netdom trust contoso.com/domain:gs.com/quarantine:No   (External Trust)

    Also,

    See the below link for accessing the resource over the forest trust(AGUDLP)

    Using Group Nesting Strategy - AD Best Practices for Group Strategy

    If still the problem is persist. See the resource ACL and user object "objectsid" & "sidhistory" attributes.

    attibutes value should be same.

    How to check the "objectsid" & "sidhistory" attributes?

    >>>dsquery * <UserDN> -scope base -attr objectsid (Trusting domain)

    >>  dsquery * <UserDN> -scope base -attr sidhistory (trusted domain)

    If you are deleted the user object from trusting domain ; dont remove the unknown entry from the ACL of that resource. before remving that you need to sure that SID entry should not be of that user.


    HTH
    Biswajit Biswas

    My Blogs|MCC | TNWiki Ninja  

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin





    • Edited by bshwjt Monday, February 04, 2013 12:31 PM
    • Proposed as answer by bshwjt Wednesday, February 06, 2013 12:48 AM
    • Marked as answer by Cicely FengModerator Thursday, February 07, 2013 6:32 AM
    Monday, February 04, 2013 8:20 AM

All replies

  • Hi,

    External trust are non transitive trust, thus domain C won't be able to trust Domain A or vice versa. You need to create separeate external trust from Domain A to Domain C.

    Forest trust are transitive but only within forest.

    regards..

    HR


    MCTS|MCSE|MCSA:Messaging|CCNA


    Thursday, January 31, 2013 6:52 AM
  • Thanks for the reply, sorry but i left out some Important Details.....

    All three domains are in separate forests. 

    I have also already tried creating a trust between Domains A and C but this does not work, i guess because Domain A does not try to compare the users Domain C SID against the group membership of the Domain B group.

    If i can add any more details to help with this let me know.

    Thursday, January 31, 2013 12:59 PM
  • If you have setup an external trust (e.g not a forest trust) you have to disable 'SID filter quarantining' (diffrent from SID filtering):

    Netdom trust TrustingDomainName /domain:TrustedDomainName/quarantine:No /usero:domainadministratorAcct /passwordo:domainadminpwd

    Note: For Windows 2008 /quarantine: N or Y

    EX:
    netdom trust DomainA /D:DomainB /UD:DomainB\Administrator /PD:* /UO:DomainA\Administrator /PO:*/Quarantine:No
    note:please replace the domainA and domainb with the actual domain name. * option would mask the admin password and you would be prompted to enter DomainA admin password first & then DomainB admin password.




    For more information:

    Disable SID filter quarantining:
    http://technet.microsoft.com/en-us/library/cc772816(v=ws.10).aspx

    How to Disabling SID Filter Quarantining & Allowing SID History:
    http://blogs.technet.com/b/csstwplatform/archive/2010/05/06/how-to-disabling-sid-filter-quarantining-allowing-sid-history.aspx


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by bshwjt Wednesday, February 06, 2013 12:48 AM
    Thursday, January 31, 2013 1:03 PM
  • Thanks for your reply Christoffer but quarantine is already disabled for all trusts.
    Thursday, January 31, 2013 2:43 PM
  • Hi,

    I guess you should try creating a Universal group (make user member of this group) in domain C and then add this group to domain A's DL group. That should work. PLease make sure that Domain A have external/forest trust with Domain C.

    Regards..

    HR


    MCTS|MCSE|MCSA:Messaging|CCNA


    • Edited by himanshu.rana Friday, February 01, 2013 7:01 AM
    • Proposed as answer by Lordy86 Friday, February 08, 2013 8:59 AM
    Friday, February 01, 2013 6:59 AM
  • In addition,

    If you are using enterprise admin right you no need to put the user name & password with the netdom command.see below.

    Contoso.com is the trusting domain & GS is the trusted domain.

    Netdom trust contoso.com/domain:gs.com/enableSIDhistory:yes   (Forest trust)

    Netdom trust contoso.com/domain:gs.com/quarantine:No   (External Trust)

    Also,

    See the below link for accessing the resource over the forest trust(AGUDLP)

    Using Group Nesting Strategy - AD Best Practices for Group Strategy

    If still the problem is persist. See the resource ACL and user object "objectsid" & "sidhistory" attributes.

    attibutes value should be same.

    How to check the "objectsid" & "sidhistory" attributes?

    >>>dsquery * <UserDN> -scope base -attr objectsid (Trusting domain)

    >>  dsquery * <UserDN> -scope base -attr sidhistory (trusted domain)

    If you are deleted the user object from trusting domain ; dont remove the unknown entry from the ACL of that resource. before remving that you need to sure that SID entry should not be of that user.


    HTH
    Biswajit Biswas

    My Blogs|MCC | TNWiki Ninja  

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin





    • Edited by bshwjt Monday, February 04, 2013 12:31 PM
    • Proposed as answer by bshwjt Wednesday, February 06, 2013 12:48 AM
    • Marked as answer by Cicely FengModerator Thursday, February 07, 2013 6:32 AM
    Monday, February 04, 2013 8:20 AM