Sidwalker Security Administration Tools
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
SIDWalker Security Administration Tools
This set of programs helps system administrators manage access-control policies on systems running Windows Server 2003, Windows XP, Windows 2000, and Windows NT. The SIDWalker tools are designed to support a three-phase approach to modifying access control. Each phase of changing access control can take a day or longer to complete and verify, and requires significant amounts of system resources and administrator time. The phases are:
The administrator needs to determine what users have been granted access to resources (file shares, print shares, NTFS files, registry keys, and local group membership) on a particular computer.
Based on who has access to what resources on the system, the administrator can choose to delete old, unused security identifiers (SIDs), or replace them with corresponding new SIDs, such as new security groups.
Using the information from the planning and mapping phases, the third phase is the conversion of security identifiers found anywhere on a system to corresponding new SIDs.
The following example is a scenario requiring migration of access control policies:
All of the files for a project on a file server have an access control list (ACL) that grants the group ProjectTeam Read/Write access to the project files.
ProjectTeam is a security group that has a unique security identity in the Windows XP account directory. If the project changes and ProjectTeam merges into a larger project team, the administrator might want to change the access permissions on the project files. The Read/Write access-control rights granted to the original ProjectTeam can be replaced by access rights granted to a NewProjectTeam group. NewProjectTeam can be defined in a different domain and project file server. The computer on which the project file server runs can move from the current domain to a new domain for the larger project. In changing situations like this, SIDWalker can facilitate managing and updating security access policies on the servers involved.