BACKGROUND:
- Users migrated to new domain with the SID value of their old domain user account added to the SID History property on their new domain user account
- Old domain still in use as file servers haven't migrated to new domain
- Old domain user accounts still exist to provision access to old domain file servers
- New domain and old domain user accounts are both enabled
GOAL:
Determine if disabling the old domain user accounts will cause the new domain accounts to be unable to access the old domain file servers.
THOUGHTS:
From TechNet article: "When a user logs on and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user — the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client and are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token, including one of the SIDs in SID-History, can allow or deny the user access."
QUESTION:
If the old domain user account is disabled, will this disallow access to the group memberships of the disabled old domain user account and thereby make it so the new domain user account can't access resources on the old domain file servers?