Should I translate security in Replace mode so I don't have to use Remove mode later? What is the d (NETIQKB10172)

  • 7710172
  • 02-Feb-2007
  • 10-Oct-2007


Should I translate security in Replace mode so I don't have to use Remove mode later?  What is the default setting?

Domain Migration Administrator 6.x

Domain Migration Administrator 7.x


DMA will translate security (re-ACL) resources that exist in the source or target domain.  ACL's (Access Control Lists) exist on the files, folders, and shares themselves, and are NOT migrated with user or group accounts.  By translating security, ACL's are updated so that migrated accounts will have the same level of access to files, folders, and shares as the source accounts.  However, this re-ACLing will only occur for accounts that were migrated with the DMA tool (in a project or through the global wizards).

The default setting when translating security is ADD mode. This means that the correct ACL permissions will be updated with the new target domain account (this user or group account will be ADDed to the ACL).

You may chose to REPLACE the ACL permissions, but any previous permissions for the source accounts will be removed.  There is also the REMOVE option which you would use if you had previously used ADD and now want to remove the access for the source users and groups. The REMOVE option will delete all the ACE's (Access Control Entries) for the source accounts.

One pass of security translation with the REPLACE mode has the same end result as first using ADD mode then using REMOVE mode.  It is safer to ADD on first pass, verify that the permissions are correct, then in a later pass use REMOVE.  Translating security with REMOVE does not require a reboot and is transparent to the user.

You may elect to use REPLACE mode so that the computer migration and security translation can be done in one pass.  DMA does not delete any files or folders, so DMA will not cause any data loss.  DMA is only dealing with the ACL's when it translates security.  The risk with using REPLACE is that the users may not log in with the source account to access the resource in the event that you needed to immediately roll back the migration.

You should assess the migration conditions and select the security translation procedure that is best suited to your environment.

Additional Information

Formerly known as NETIQKB10172