Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,073 questions
Access and Group related query
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 40%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGO%3C/text%3E%3C/svg%3E)
G-ONE
166
Reputation points
The facts:
Servers domain membership has been MOVED from source domain to target domain.
Only Source Domain Local groups are appended in resource DACL.
These source domain local groups have been migrated to target domain without Sidhistory and during migration group scope had been changed to Global.
These migrated global groups are nested inside source domain local groups.
Including comment from different forum. I need answer and explanation.
"Changing the Domain membership of the server from the source domain to the target domain, orphans the source domain local access control entries (ACE) in the access control lists (ACL) as the Source Domain Local group will NEVER be present in the Access Token. Had the servers NOT been moved to the target domain, access would have worked".
So based on above comment my question is:
Q1: Orphans the source domain local access control entries (ACE) in the access control lists (ACL). Does it mean that Sid of source domain local group will show in ACL rather than showing name of source domain local group? What is exact meaning of orphans source domain local group access control entries (ACE) in the resource access control lists (ACL)?
Another comment from different forum
If target domain user is member of migrated target Global Group and target user login to target domain joined workstation. Then target user's access token will contain Sid of target user and Sid of migrated target Global Group Sid.
So based on above comment my question is:
Q2: Since resource server has been moved to target domain and only source domain local groups are applied in resource ACL, so while performing access check Sid of migrated target Global Group in target user's access token will be compared directly against Sid of migrated target global group (which is nested inside source domain local group in resource ACL) by ignoring Sid of source domain local group Sid?
Please elaborate and explain technically how exactly access check is happening here in terms of Sid and access token.
Another Scenario (Sidhistory included)
Servers domain membership has been MOVED from source domain to target domain.
Source Domain Local groups are appended in resource DACL.
These source domain local groups have been migrated to target domain WITH Sidhistory and the group type has been changed to Global.
These migrated global groups nested inside source domain local groups.
So my question is:
Q3: Please elaborate and explain technically how exactly access check is happening in this scenario (Sidhistory included) in terms of Sid, Sidhistory and access token?
Looking forward to answers with technical explanation specific to above mentioned questions and scenarios.
Thanks in advance ! :-)