Security Translation Issues

The Active Directory Migration Tool allows you to change file, directory, and share Security Descriptors that reference one user account or group in a source domain to reference another user account or group with the same name in a target domain. You can also translate local group memberships and user rights. This product provides many options to help you resolve the related security issues exactly as you need.

When you copy a user account or group from domain A to domain B, a new account is created in domain B. This new account has the same name as the original account in domain A, but this new account has a different SID. The Active Directory Migration Tool changes the Security Descriptors for various files, directories, and shares to refer to the SID for the new account in domain B. This process ensures the new user account or group provides the same access to files, directories, and shares that the original user account or group provided.

Note:
The Active Directory Migration Tool changes Security Descriptors for files, directories, and shares. This product does not change Security Descriptors for other resources, such as printers. The Active Directory Migration Tool supports path names up to 255 characters.

The Active Directory Migration Tool also copies local group memberships and user rights for migrated accounts. If you migrate a local group and its members to another domain, the Active Directory Migration Tool copies the local group and the member accounts to the target domain. The Active Directory Migration Tool also makes the new accounts members of the local group in the target domain.

If the Active Directory Migration Tool finds a SID from the source domain that it cannot resolve, such as a SID for a user account that does not have a matching user account in the target domain, the Active Directory Migration Tool leaves the SID unchanged and continues searching.

Related Topics