Sidhistory behavior in Intra-forest AD Migration

enrico mancini rmukan Jeff Shahan vladimir.knorr

Guys, Could you please acknowledge and answer my question?

peter dan rock Did you know, that every time you mention me, I get two e-mails? One for posting and one for the mention. I am already alerted to every single post in this forum. You need to have some patience as there is no SLA for replies to a thread. If you are in need a immediate support, please open a support case. However the topic of this thread is not directly product related. 

I actually like fielding questions here. It is however not in my job description. I field these in my spare time, after my primary tasks are complete. I will get to your thread, when I have time. I am actually still working, 15 hours and counting. These explanation can take some time. 

I have actually already answers your question in another thread.

Jeff Shahan said:

Domain Local Groups can not be used to secure or grant access to resources in a trusting domain. This is a core functional administrative principle for active directory management. So if you migrate the source domain local groups sid to the target domain local group sidhistory, it adds no value. You have effectively given the office "keys" in one building to someone locked in another building. Now if the office is moved to the other building, those keys would work. 

Thank you for your reply. I will keep your suggestions in my mind now onwards.

So just want to confirm, Sid & Sidhistory of migrated Target Domain Local groups also don't cross outside of Target Domain boundary within the same forest. Right?

Thank you for your reply. I will keep your suggestions in my mind now onwards.

So just want to confirm, Sid & Sidhistory of migrated Target Domain Local groups also don't cross outside of Target Domain boundary within the same forest. Right?

Yes, Jeff has specifically stated that in his answer to yours.

So intra-forest there is an issue with sid history. If there are two sid that are the same in the forest, that creates a management issue. When the ACLs are enumerated and resolved, it two objects are returned, the resolution stops. So you never want to have duplicate sids within the forest.