windows-nt/Source/XPSP1/NT/admin/admt/documents/help-ms/windowsecurityoption.htm

46 lines
3.6 KiB
HTML
Raw Normal View History

2020-09-26 03:20:57 -05:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"
"http://www.w3.org/TR/REC-html40/strict.dtd">
<HTML DIR="LTR">
<HEAD>
<TITLE>Security Translation Options</TITLE>
<LINK REL="stylesheet" MEDIA="screen" TYPE="text/css" HREF="coUA.css">
<LINK REL="stylesheet" MEDIA="print" TYPE="text/css" HREF="coUAprint.css">
<SCRIPT LANGUAGE="JScript" SRC="shared.js"></SCRIPT>
<META HTTP-EQUIV="Content-Type" CONTENT="text-html;charset=Windows-1252">
<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "<http://www.rsac.org/ratingsv01.html>" l comment "RSACi North America Server" by "inet@microsoft.com <mailto:inet@microsoft.com>" r (n 0 s 0 v 0 l 0))'>
<META NAME="MS.LOCALE" CONTENT="EN-US">
<META NAME="MS-IT-LOC" Content="Active Directory Migration Tool">
<META NAME="MS-HAID" CONTENT="a_WindowSecurityOption">
</HEAD>
<BODY>
<H1>Security Translation Options</H1>
<P>Specifies how Active Directory Migration Tool handles the security translation process. These fields are defined as follows:</P>
<P><B>Replace</B></P>
<P>Replaces the security ID (SID) for the account in the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SourceDomain">source domain</A> with the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SID">SID</A> for the account in the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=TargetDomain"> target domain</A> in the access control lists (ACLs) and system access control lists (SACLs) in the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SecurityDescriptor"> security descriptors</A> of the selected objects. This option gives the account in the target domain the same permissions on the selected objects as the account in the source domain. This option also removes these permissions from the account in the source domain.</P>
<P>When performing an <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=IntraforestMigration"> intraforest migration</A>, <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SIDHistory">SID History</A> is migrated and the <A ID="wPopup" HREF="HELP=ADMTGlos.hlp TOPIC=SourceObject">source object</A> is deleted. So, when performing an intraforest migration, Active Directory Migration Tool only allows security translation in <B>Replace</B> mode.</P>
<P><B>Add</B></P>
<P>Adds the SID for the account in the target domain to the ACLs and SACLs in the security descriptors of the selected objects that contain the SID for the account in the source domain. This option gives the account in the target domain the same permissions to the selected objects as the account in the source domain.</P>
<P>Windows&nbsp;2000 only recognizes the first 30 entries in registry key ACLs. If security translation is performed in <B>Add</B> mode, then more than 30 entries can exist at the end of the process. The large number of access control entries (ACEs) on certain registry keys might result in users being locked out of the affected system.</P>
<P>To prevent this problem, if the wizard encounters an ACL with more than 15 ACEs while running in <B>Add</B> mode, then the registry keys will be skipped by the system registry security translation process. This will not occur if the security translation is run in <B>Replace</B> or <B>Remove</B> mode. This is not a problem is the customer has not manually changed any registry key ACEs on the affected systems.</P>
<P><B>Remove</B></P>
<P>Removes the SID for the account in the source domain from the ACLs and SACLs in the security descriptors of the selected objects. This option removes the permissions to the selected objects from the account in the source domain.</P>
<P>For more information, see <A HREF="conceptsecuritytranslationissues.htm">Security identifier (SID) translation</A>.</P>
</BODY>
</HTML>