Migrated file server and translated security, but some users get Access is denied when try to access (NETIQKB10316)

  • 7710316
  • 02-Feb-2007
  • 27-Sep-2007


Domain Migration Administrator 7.1

Migrated file server and translated security, but some users get Access is denied when try to access files.

Selected users and associated groups.  Did not explicitly select any groups to be migrated.

File, share and / or printer permissions are granted to the source Domain Users group.

Users in target domain receive 'Access is denied' when they try to use a printer in the source domain.


These symptoms can occur if users in the source domain were granted permissions to resources at the user account level, but security has only been translated for groups.  The resolution is to translate security for user accounts on the file servers and print servers where the source users have access. 

These symptoms can also be caused if users from the source domain were receiving permissions through membership in the Domain Users group, but the Domain Users group was not migrated.  DMA will not migrate Well-Known groups when the option 'Migrate associated user groups' is selected during the user migration. See NETIQKB10173 for more details.  If users need to receive permissions to resources through membership in the Domain Users group, then the resolution is to select the source Domain Users group and migrate it to the target domain.  Use 'Replace and Update' as the Naming Conflict option ensure that you have specified the correct target container.  This will cause DMA to map the source Domain Users to the target Domain Users group.  Next, translate security using the 'Translate Security Settings' wizard and select the source Domain Users group and the affected file server(s).

Another possible cause of this issue is if the client machines were trying to connect to the file/print server in the source domain.  Client machines can connect to the migrated file/print server if they use the fully qualified DNS name or IP address, but will receive "access is denied" if they try to connect using the NetBIOS name.  This can be resolved by updating the WINS server or deleting the computer account in the source domain.  Refer to Microsoft article 310340 http://support.microsoft.com/default.aspx?scid=kb;en-us;310340

Additional Information

Formerly known as NETIQKB10316