User accounts migrated with sIDHistory receive 'Access is denied' on resources where the source acco (NETIQKB4768)

  • 7704768
  • 02-Feb-2007
  • 18-Oct-2007

Resolution

fact
Domain Migration Administrator 7.x

symptom
User accounts migrated with sIDHistory receive 'Access is denied' on resources where the source account had access.

cause
  • The Group account that grants access to the resource was not migrated with SID History or not migrated at all.
  • SID Filtering is turned on in the target domain.


fix

Migrate the groups that grant access to the resource with SID History and the target user account will gain access to the shares.



fix

If SID filtering is in effect on a domain, it filters any SID History information in incoming authorization data from the quarantined domains.  The solution in this case would be to remove SID History Filtering.

SID History Filtering is an optional security measure provided by Microsoft that prevents the SID history attribute of migrated accounts from gaining access to resources. SID filtering and SID History are mutually exclusive mechanisms.



Additional Information

Formerly known as NETIQKB4768