windows-nt/Source/XPSP1/NT/admin/admt/documents/help-ms/conceptsecuritytranslationissues.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"
                      "http://www.w3.org/TR/REC-html40/strict.dtd">
<HTML DIR="LTR">
<HEAD>
<TITLE>Security identifier (SID) translation</TITLE>
<LINK REL="stylesheet" MEDIA="screen" TYPE="text/css" HREF="coUA.css">
<LINK REL="stylesheet" MEDIA="print" TYPE="text/css" HREF="coUAprint.css">  
<SCRIPT LANGUAGE="JScript" SRC="shared.js"></SCRIPT>

<META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=Windows-1252">
<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "<http://www.rsac.org/ratingsv01.html>" l comment "RSACi North America Server" by "inet@microsoft.com <mailto:inet@microsoft.com>" r (n 0 s 0 v 0 l 0))'>
<META NAME="MS.LOCALE" CONTENT="EN-US">
<META NAME="MS-IT-LOC" Content="Active Directory Migration Tool">
<META NAME="MS-HAID" CONTENT="a_ConceptSecurityTranslationIssues"> 
</HEAD>
<BODY>


<H1>Security identifier (SID) translation</H1>

<P>Access to network resources (printers, files, folders, and shares) is protected by access control lists (ACLs) contained in <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SecurityDescriptor"> security descriptors</A> associated with each resource. Active Directory Migration Tool can change security descriptors that reference a user account or a group in a <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SourceDomain">source domain</A> to reference another user account or group in a <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=TargetDomain"> target domain</A>.</P>

<P>For example, when you migrate a user account or group from domain A to domain B, a new account is created (cloned) in domain B. This new account can have the same name as the original account in domain A, but this new account has a different security identifier. Active Directory Migration Tool changes the security descriptors for various resources to refer to the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SID">SID</A> for the new account in domain B. This process ensures the new user account or group provides the same access to resources that the original user account or group provided. The process of changing the security descriptors is called security translation, which is performed by the Security Translation Wizard.</P>

<P class="note">Note</P>
<UL>

<LI>If Active Directory Migration Tool finds a SID from the source domain that it cannot resolve, such as a SID for a user account that does not have a matching user account in the target domain, the tool leaves the SID unchanged.</LI>
</UL>

<P>The security on resources does not need to be translated before the source account is deleted. However, for cosmetic reasons, you will most likely want to translate security before deleting the source account. Once the source account is gone, the resource will no longer be able to resolve the SID to a name and the security properties will show as &quot;account unknown&quot;. The access will still work, but you can't resolve the SID name. If you upgrade the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=ResourceDomain">resource domain</A> to Windows&nbsp;2000, Windows&nbsp;2000 will be able to detect the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SIDHistory">SID History</A> and resolve the name properly. So, over time, you will want to manually clean up SID History and grant access to the new <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SecurityPrincipal"> security principals</A>.</P>

<P>Windows&nbsp;2000 only recognizes the first 30 entries in registry key access control lists. If security translation is performed in <B>Add</B> mode, then more than 30 entries can exist at the end of the process. The large number of access control entries on certain registry keys might result in users being locked out of the affected system.</P>

<P>To prevent this problem, if the wizard encounters an access control list with more than 15 access control entries while running in <B>Add</B> mode, then the registry keys will be skipped by the system registry security translation process. This will not occur if the security translation is run in <B>Replace</B> or <B>Remove</B> mode. It is also not a problem if you have not manually changed any registry key access control list entries on the affected systems. </P>  

<H2>Exchange directory translation</H2>

<P>Active Directory Migration Tool can also change the security descriptors for Exchange mailboxes, distribution lists, custom recipients, organizations, sites, and containers, as well as the primary Windows&nbsp;NT or Windows&nbsp;2000 account for each mailbox to reflect the SID for the new security principal in the target domain. This process ensures that the new security principal has the same access to resources and Exchange components as the original. </P>

<P>To translate Exchange security, you must install Microsoft Exchange Administrator on a computer running Active Directory Migration Tool. If you want to translate Exchange security for Exchange mailboxes, distribution lists, custom recipients, organizations, sites, and containers, the account credentials you specify during the translation process must be a Permissions Admin in the Exchange site of the specified Exchange server.</P>

<P>For more information about security descriptors, SIDs, and general security issues, see <A HREF="conceptdommigsecurityissues.htm">Understanding security</A>.</P>

</BODY>
</HTML>
Add source files 2020-09-26 03:20:57 -05:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"`
			`"http://www.w3.org/TR/REC-html40/strict.dtd">`
			`<HTML DIR="LTR">`
			`<HEAD>`
			`<TITLE>Security identifier (SID) translation</TITLE>`
			`<LINK REL="stylesheet" MEDIA="screen" TYPE="text/css" HREF="coUA.css">`
			`<LINK REL="stylesheet" MEDIA="print" TYPE="text/css" HREF="coUAprint.css">`
			`<SCRIPT LANGUAGE="JScript" SRC="shared.js"></SCRIPT>`

			`<META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=Windows-1252">`
			`<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "<http://www.rsac.org/ratingsv01.html>" l comment "RSACi North America Server" by "inet@microsoft.com <mailto:inet@microsoft.com>" r (n 0 s 0 v 0 l 0))'>`
			`<META NAME="MS.LOCALE" CONTENT="EN-US">`
			`<META NAME="MS-IT-LOC" Content="Active Directory Migration Tool">`
			`<META NAME="MS-HAID" CONTENT="a_ConceptSecurityTranslationIssues">`
			`</HEAD>`
			`<BODY>`


			`<H1>Security identifier (SID) translation</H1>`

			<P>Access to network resources (printers, files, folders, and shares) is protected by access control lists (ACLs) contained in <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SecurityDescriptor"> security descriptors</A> associated with each resource. Active Directory Migration Tool can change security descriptors that reference a user account or a group in a <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SourceDomain">source domain</A> to reference another user account or group in a <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=TargetDomain"> target domain</A>.</P>

			<P>For example, when you migrate a user account or group from domain A to domain B, a new account is created (cloned) in domain B. This new account can have the same name as the original account in domain A, but this new account has a different security identifier. Active Directory Migration Tool changes the security descriptors for various resources to refer to the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SID">SID</A> for the new account in domain B. This process ensures the new user account or group provides the same access to resources that the original user account or group provided. The process of changing the security descriptors is called security translation, which is performed by the Security Translation Wizard.</P>

			`<P class="note">Note</P>`
			`<UL>`

			`<LI>If Active Directory Migration Tool finds a SID from the source domain that it cannot resolve, such as a SID for a user account that does not have a matching user account in the target domain, the tool leaves the SID unchanged.</LI>`
			`</UL>`

			<P>The security on resources does not need to be translated before the source account is deleted. However, for cosmetic reasons, you will most likely want to translate security before deleting the source account. Once the source account is gone, the resource will no longer be able to resolve the SID to a name and the security properties will show as "account unknown". The access will still work, but you can't resolve the SID name. If you upgrade the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=ResourceDomain">resource domain</A> to Windows 2000, Windows 2000 will be able to detect the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SIDHistory">SID History</A> and resolve the name properly. So, over time, you will want to manually clean up SID History and grant access to the new <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SecurityPrincipal"> security principals</A>.</P>

			`<P>Windows 2000 only recognizes the first 30 entries in registry key access control lists. If security translation is performed in <B>Add</B> mode, then more than 30 entries can exist at the end of the process. The large number of access control entries on certain registry keys might result in users being locked out of the affected system.</P>`

			`<P>To prevent this problem, if the wizard encounters an access control list with more than 15 access control entries while running in <B>Add</B> mode, then the registry keys will be skipped by the system registry security translation process. This will not occur if the security translation is run in <B>Replace</B> or <B>Remove</B> mode. It is also not a problem if you have not manually changed any registry key access control list entries on the affected systems. </P>`

			`<H2>Exchange directory translation</H2>`

			`<P>Active Directory Migration Tool can also change the security descriptors for Exchange mailboxes, distribution lists, custom recipients, organizations, sites, and containers, as well as the primary Windows NT or Windows 2000 account for each mailbox to reflect the SID for the new security principal in the target domain. This process ensures that the new security principal has the same access to resources and Exchange components as the original. </P>`

			`<P>To translate Exchange security, you must install Microsoft Exchange Administrator on a computer running Active Directory Migration Tool. If you want to translate Exchange security for Exchange mailboxes, distribution lists, custom recipients, organizations, sites, and containers, the account credentials you specify during the translation process must be a Permissions Admin in the Exchange site of the specified Exchange server.</P>`

			`<P>For more information about security descriptors, SIDs, and general security issues, see <A HREF="conceptdommigsecurityissues.htm">Understanding security</A>.</P>`

			`</BODY>`
			`</HTML>`