What is the difference between 'Translate Security Settings' and 'Translate Security for Accounts wi (NETIQKB860)

  • 7700860
  • 02-Feb-2007
  • 16-Aug-2007


What is the difference between 'Translate Security Settings' and 'Translate Security for Accounts with SID History'?

What are the requirements for the 'Translate Security Settings' wizard?

What are the requirements for the 'Translate Security for Accounts with SID History Option' wizard?

What Translate Security wizard translates security only in 'Replace' mode?


The 'Translate Security for Accounts with SID History' wizard performs the same function as the 'Translate Security Settings' wizard, but translates security in 'Replace' mode only.  The information below defines and provides the minimum requirements for each wizard.

Translate Security Wizard

The Translate Security wizard modifies the ACLs on the server selected during the migration. The Translate Security wizard checks the ACLs on the files, folder, shares, printers, registry, local groups and profiles on the selected servers and where it finds a reference to the account from the Source domain; it can then add the target domain user account to the ACLs. You have the option to either Replace or Add the target domain user account.  When the user logs on to the Target domain s/he will still have the same access.

Requirements for the Translate Security Wizard

  • DMA console installed in Win2K machine in the target domain.
  • Disconnect any mapped networked drive devices between source and target domain controllers to prevent credential conflict problems
  • The source domain must trust the target domain.  Existing resource domains must also trust the target domain.
  • Administrative rights to both the source and target domain
  • Logged into the DMA console with administrative rights
  • Accounts must be migrated first

Translate Security for Accounts with SID History Wizard

The Translate Security for Accounts with SID History wizard is available only when the Target domain is in Win2K Native Mode.  The DMA console should be running on a domain controller in the Target domain. Available after you have migrated users accounts, this option replaces the SID of the user account from the Source domain with the migrated user account in the Target domain. This process ensures that the target domain user account has the same permissions as the source domain user account.    Translating Security for Accounts with SID History does not increase the ACL size since the SID's are being replaced rather than added.

Requirements for Translate Security for Accounts with SID History Option

Requirements are same as Translate Security options requirements including the following:

  • Target domain must be Win2K in Native Mode.
  • Accounts must be migrated with SID History
  • The source domain must not be in the same forest as the destination domain. By definition, a Windows NT 4.0 domain is not in the same forest.
  • For Windows NT 4.0 source domains: Modify the registry on the source PDC, adding the DWORD value TcpipClientSupport to HKLM\SYSTEM\CurrentControlSet\Control\LSA. This value must be set to 1 to enable the Security Accounts Manager (SAM) operations required for cloning to take place over remote procedure call (RPC).
  • A local group must be created in the source domain called srcDomainName$$$, where srcDomainName is the name of the source domain, that is, if the domain is called Redmond, the group would be called Redmond$$$.
  • The source object must be of one of the following types:
    • Use.
    • Security enabled group including:
      • Global Groups 
      • Local Groups
      • Shared Local Groups (local groups created on the PDC and shared with the BDCs in a Windows NT 4.0 domain.)
      • Domain Local Group
      • Universal Group - Source is in Native Mode.

All permissions are the same as suggested for minimum requirements stated in the user guide.


Additional Information

Formerly known as NETIQKB860