Translating Security on Your Member Servers
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Translate security on member servers to clean up the ACLs of the resources. After objects are migrated to the target domain, resources contain the ACL entries of the source domain objects. If you are using SID history to provide access to resources during the migration, the SIDs from the source domain remain in the ACLs to enable users to access resources while the migration is in progress. After the migration is complete, the SIDs from the source domain are no longer needed. Use the Security Translation Wizard in ADMT to replace the source domain SIDs with the target domain SIDs.
You do not need to perform this procedure if you are not using SID history for resource access because you should have already run security translation in remove mode after the user migration.
To translate security on member servers
On the domain controller in the target domain on which you installed ADMT, log on by using the ADMT account migration account.
Open the Active Directory Migration Tool, and then select Security Translation Wizard.
Complete the Security Translation Wizard by using the information in Table 11.35.
Table 11.35 Using the ADMT Security Translation Wizard
Wizard Page Action Test or Make Changes
Click Migrate Now?
Security Translation Options
Click Previously migrated objects.
Domain Selection
In the Source domain box, type or select the name of the source account domain.
In the Target domain box, type or select the name of the target domain.
Translate Objects
Clear the User Profiles check box.
Select all other options.
Security Translation Options
Click Replace.
To translate security on member servers by using a script
Prepare a script that incorporates ADMT commands and options for translating security on member servers by using the sample script shown in Listing 11.16.
Listing 11.16 Translating Security on Member Servers Between Forests
<Job id=" TranslatingSecurityOnMemberServersBetweenForests" > <Script language=" VBScript" src=" AdmtConstants.vbs" /> <Script language=" VBScript" > Option Explicit Dim objMigration Dim objSecurityTranslation ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject(" ADMT.Migration" ) Set objSecurityTranslation = objMigration.CreateSecurityTranslation ' 'Specify general migration options. ' objMigration.SourceDomain = " source domain" objMigration.TargetDomain = " target domain" objMigration.TargetOu = " Computers" ' 'Specify security translation specific options. ' objSecurityTranslation.TranslationOption = admtTranslateReplace objSecurityTranslation.TranslateFilesAndFolders = True objSecurityTranslation.TranslateLocalGroups = True objSecurityTranslation.TranslatePrinters = True objSecurityTranslation.TranslateRegistry = True objSecurityTranslation.TranslateShares = True objSecurityTranslation.TranslateUserProfiles = False objSecurityTranslation.TranslateUserRights = True ' 'Perform security translation on specified computer objects. ' objSecurityTranslation.Translate admtData, _ Array(" computer name1" ," computer name2" ) Set objSecurityTranslation = Nothing Set objMigration = Nothing </Script> </Job>
For a sample script file to assist you in creating a script to translate security on member servers, see "Translating Security on Member Servers Between Forests" (DSSREER_16.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Translating Security on Member Servers Between Forests" on the Web at https://www.microsoft.com/reskit).