How do I translate security so that a target group receives the same permissions as the source Domai (NETIQKB6587)

  • 7706587
  • 02-Feb-2007
  • 06-Sep-2007


How do I translate security so that a target group receives the same permissions as the source Domain Users or Domain Admins group?

Domain Migration Administrator 7.x


The resolution in this case is to map the two groups using the 'Map and Merge Groups' wizard, then translate security using the 'Translate Security Settings' wizard.  You do not need to migrate the users again because the users have already been migrated to the target group.

Note: You cannot use SID history because the source group, Domain Users/Admins, exists in all Windows 2000 domains and has a 'well known' SID.  Therefore, in the 'Map and Merge Groups' wizard, do not select the checkbox for 'Migrate group SIDs to target domain'.

The steps are as follows:

  1. To verify that DMA will display the Domain Users/Admins group, from the MMC menu select ViewDMA Settings.
  2. Confirm that the checkboxes for Show previously migrated objects in project migration wizards and Show well-known users and groups in migration wizards are selected.
  3. Run the 'Select Objects' wizard and verify that the Domain Users/Admins group is included.
  4. In the DMA project, run the 'Map and Merge Groups' wizard.
  5. Select the source group. ( For this example, it is the Domain Users/Admins in the source domain)
  6. Select the target group.
  7. DO NOT select the checkbox for Migrate group SIDs to target domain.  Complete the 'Map and Merge Groups' wizard.
  8. If the users have not been migrated, migrate the users using DMA with either the 'Migrate User Accounts' or 'Migrate Groups' wizard. 
  9. If the users have already been migrated and are members of the correct target group, you do not have to migrate the users again.
  10. Run the 'Translate Security Settings' wizard.  When selecting the accounts, select the source Domain Users/Admins group.
  11. Select all the machines where security is to be translated, then complete the wizard.

As the 'Map and Merge Groups' wizard processes, it will create the mapping from the source Domain Users group to the target group. The results can be verified by reviewing the Migration.log on the DMA console machine.  Also, you can check the ACL on the resource where you translated security to verify that the target group has received permissions.

Additional Information

Formerly known as NETIQKB6587