Using SID History to Preserve Resource Access

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

The best practice for granting access to resources is to use global groups to arrange users, and domain local groups to protect resources. Place global groups into a domain local group to grant the members of the global group access to the resource. A global group can only contain members from its own domain. When a user is migrated between domains, any global groups to which the user belongs must also be migrated. This ensures that users can continue to access resources that are protected by discretionary access control lists (DACLs) referring to global groups. After migrating an account and maintaining the security identifier (SID) history of the source domain account, when a user logs on to the target domain, both the new SID and the original SID from the SID history attribute are added to the access token of the user. These SIDs determine the local group memberships of the user. The SIDs of the groups of which the user is a member are then added to the access token, together with the SID history of those groups.

Resources within the source and target domains resolve their access control lists (ACLs) to SIDs and then check for matches between their ACLs and the access token when granting or denying access. If the SID or the SID history matches, access to the resource is granted or denied, according to the access specified in the ACL. If the resource is in the source domain and you have not run security translation, it uses the SID history of the user account to grant access.

You can also preserve the original SID for global groups and universal groups in the SID history of the global group or universal group in the target domain. Because local group memberships are based on SIDs, when you migrate the SID to the SID history of the global group or universal group in the target domain, the local group memberships of the global group or universal group are preserved automatically.

SID history is used for the following:

  • Roaming user profile access

  • Certification authority access

  • Software installation access

  • Resource access

If you are not using SID history for resource access, you still have to migrate SID history to facilitate access to those items.