Thank you!

Frankly, this is not a migration. It's more of a DR solution. In the event that the AWS service becomes unavailable, we need to deploy a temporary working infrastructure. As soon as the primary resource returns to normal, the resources on the standby site will be removed.

If sidHistory works, that will be great.
I confess only a few times I came across migration between domains using sidHistory, it works in trusted domains. I'm not sure if this will work if there is no trusted domain, but there is a server and resources from domain A in domain B in which users have sidHistory set.

Are you able to provide a bit more information:

What risk are you trying to mitigate?

There is a direct order from the customer. If AWS in one of the regions is not available. We need to quickly deploy infrastructure in another region.
The primary region uses AWS AD. In the backup, a domain controller is deployed, with the same forest. And servers are replicated between regions.
As soon as the main region becomes unavailable, the servers in the backup will be turned on.

What infrastructure do you have in AWS?

I unfortunately do not know everything, I know there are virtual machines, terminal servers (farm), SQL, applications, web servers or web applications.
File server.

Do you have both on-premise and AWS servers joined to the domain?

On-premis is separated from AWS AD. AWS does not allow you to use their AD to the full extent as classic AD. From this and such difficulties.
If it was classic AD or Azure AD, this problem would not exist.

The domains have the same forest, the same domain, but they are completely separated and not carp with each other (not the best scenario).
Objects are synchronized export from AWS->json files->import On-prem

How many users?

Not much, up to 200 users, up to 100 groups.

Do users have workstations joined to the domain, is it just VDI access?

Yes, there are also terminal servers.

Unfortunately, AWS AD does not allow you to add on-premis controllers. Only migrate from on-premis to AWS AD. They have replication technology between sites and adding controllers in another site.

In addition, the administrator in AWS AD is just a user with full rights to the OU. He cannot build trust relationships, change the scheme, sites, etc. Only manage objects in dedicated OUs.

This is such a difficult path.
Script written, it synchronizes directories and all object changes. I warned the customer about the authority, but only after a while the issue became urgent)
In addition, domain names that are the same in domain A and domain B are exactly the same FQDN.

I would be very grateful for any help in this matter.

It looks like the idea with sidHistory can be forgotten. I don't have a trust relationship. All exports and imports go through json files. You can connect between domains, but they have the same name and domain A is AWS with all the restrictions.

Thanks for the comprehensive answer.

It looks like I won't be able to use sidHistory, at least if the domains do not have trust relationships.

Those. I can't just populate the attribute. This can only be done by a trusted domain administrator who is a member of the domain administrators group on the target domain.

In addition, a number of requirements for the original domain must be met, which in my case is completely absent.

Thank you.

Perhaps there are ready-made pages so as not to dive into writing code? :)

After restoring a deleted user in AzoreAD. The status was changed, however, after the one of following steps:

1.Disable/enable computer account.

Import-Module MSOnline
Install-Module MSOnline
Connect-MsolService
Get-MsolDevice -Name 'DESKTOP-G21392F' | Disable-MsolDevice -Force
Get-MsolDevice -Name 'DESKTOP-G21392F' | Enable-MsolDevice -Force

2.Performed synchronization from the Intune side.

3.Performed forced sending of data from the user's computer. According to the schedule, it happens every 24 hours.

4.Launched the Companies Portal on computer. It wasn't prompted to sign in.

I doubt that these actions can somehow affect, except for the last one. But for some reason, the status changed after ~5 minutes. Most likely, launch of the Company Portal changed its status, because it was automatically logged in after Company Portal started. Company Portal did not request the account`s credentials, application just started.

Thank you. Everything is very unpredictable.

Now, on two new test computers, I deleted the user, after which the status changed to Not Complaint. Then he restored the user and within a day the status changed to Complaint.
I do not understand the relationship, why in one case it does not work, but in the other it works.

Thanks for the answer.
Yes, the owner is unknown. When I change ownership it doesn't help. The device remains in N/A status. Only if this new owner re-adds the device. But we don't want to ask users to do it on their end.

I'm sorry, maybe I didn't ask the right question.

The problem is that the devices are in Not Compliant status.

The reason for the problem was that the mailbox was not located on Exchange 2010

I am deleting an accounting directory from a public access point.

Then I try to transfer just that directory. And now I see that the Migration Tool has matched the two groups. But not all of them, user groups and other groups exist in Azure AD.

But in any case, this is not correct. I will need to migrate each directory again. Also, I can't trust the migration wizard.

Yes, on SharePoint this is Inherited permissions. But on file server this is Unique permission on each folder.

But as you can see if I migrate one directory, not all permissions are transferred. I can't trust the migration wizard because there might be directories with unique permissions inside as well.
In addition, the volume of data is very large for analysis.
Need help writing a script that assigns permissions?

I don't understand why this problem exists, is it some kind of bug?

They are Unique, not Inherited.

For example - this is Accounting directory permissions.

This is example of permission audit. You can see that all directories and files are with the same permissions.

Hi.

Corporate-owned dedicated devices
Manage device owner enrollments for kiosk and task devices.

Do you have this settings?