Resolution
fact
Domain Migration Administrator 7.x
symptom
Error: 'Access is Denied' when trying to access a resource that has foreign Domain Local groups listed as ACEs on the resource.
symptom
Native tools will not allow me to add a Domain Local group onto a resource in a different domain but Domain Migration Administrator will add the Domain Local group to a resource in a different domain when running the Security Translation for Domain Local groups.
cause
fix
note
When translating security for Domain Local groups in Add mode, Domain Migration Administrator (DMA) adds the Domain Local group's ACE to resources in the source domain. DMA does this so that when and if the computer account gets migrated, the Access Control Lists on the resources will be updated with the correct, migrated Domain Local group's Access Control Entries.
Domain Migration Administrator 7.x
symptom
Error: 'Access is Denied' when trying to access a resource that has foreign Domain Local groups listed as ACEs on the resource.
symptom
Native tools will not allow me to add a Domain Local group onto a resource in a different domain but Domain Migration Administrator will add the Domain Local group to a resource in a different domain when running the Security Translation for Domain Local groups.
cause
The issue is caused by the following scenario:
- A Domain Local group contains user accounts from its local domain as members.
- The Domain Local group is migrated.
- The member user accounts are migrated.
- Security Translation is performed for the migrated Domain Local groups on the source computer accounts that have them listed as ACEs on resources.
- Once Security Translation is finished, user accounts that are members of the Domain Local groups get 'Access is Denied' error when trying to access the resource.
This issue is caused by a limitation of Microsoft group membership properties and security boundaries. Native tools will not allow you to add a Domain Local group as an ACE to a resource when that resource is located in a different domain than where the group originates.
fix
To resolve this issue:
- Re-structure your group membership according to Microsoft best practices. For example, put user accounts into Global groups, put Global groups into Local groups, and then use the Local group to set permissions on the resource.
- Manually add the user account permissions to the resource.
- Migrate the computer account that hosts the resource.
note
When translating security for Domain Local groups in Add mode, Domain Migration Administrator (DMA) adds the Domain Local group's ACE to resources in the source domain. DMA does this so that when and if the computer account gets migrated, the Access Control Lists on the resources will be updated with the correct, migrated Domain Local group's Access Control Entries.
Additional Information
Formerly known as NETIQKB54216