Resolution
symptom
After the entire migration has been completed, the ACL's for directories and shares on a migrated computer contain unrecognized SID's, indicated by a question mark.
change
All domain controllers in the source domain have been decommissioned.
fix
note
After the entire migration has been completed, the ACL's for directories and shares on a migrated computer contain unrecognized SID's, indicated by a question mark.
change
All domain controllers in the source domain have been decommissioned.
fix
Each unrecognized SID belongs to an account that is in the decommissioned source domain. Without a domain controller in the source domain, the SID cannot be resolved and therefore is indicated by a question mark.
The options that should be considered for removing these unrecognized SIDs at this point are:
- You can use the 'Translate Security Settings' wizard, with the 'Remove' option, to remove references to SIDs from the source domain. This wizard requires that a domain controller from the source domain be running in order to resolve the SIDs.
- If a source domain controller cannot be made available, then you can manually remove references to accounts from the source domain.
- If you are planning to remove these references, you may need to verify that none of your accounts are still accessing this resource via sidHistory.
note
The recommended practice for translating security in this scenario is to:
- After migrating users, groups, and computers, run the 'Translate Security Settings' wizard to translate security in Add mode.
- Verify that the new users have the correct access.
- While the source domain is still in operation, translate security again using the Remove option.
- If you have migrated any objects with SID History, run the 'Remove SID History' wizard.
- Verify that the new users have the correct access.
- Decommission the source domain.
Additional Information
Formerly known as NETIQKB4322