Hi everybody,
i have a general question to the SID-History / netlogon technologies in a cross forest environment during a migration.
We have the following situation:
- We already have migrated a lot of domain local groups to the target domain (using SID-History).
- We have share on a fileserver, which is still member of the source domain, with some of these (sourcedomain-) local groups in the ACL.
- Now in the target domain we created a new user and put him into the migrated domain local groups, corresponding to the source domain local groups appearing in the share ACL.
Now the following behaviour occurs:
- The user logs on to a computer in the target domain with his newly created account and tries to access the mentioned share. He gets an "access denied" message.
- But if we change the scope of the migrated groups from "local" do "global", it works.
- Furthermore, if we migrate the user with SID-History too, it works as well, even if the scope of the migrated groups stays "local".
Our expection was, that the newly created user should get access to the share in the source domain, because in the ACL are only groups, which SIDs should be in the Access Token of the user (via the SID-History) independent from the group scope.
Is this behaviour by design? Are we missing something?
Could someone explain the technical background of this behaviour?
This would be very appreciated. Many thanks in advance.
Best Regards
Manuel
