Help!!! Migration Problem!

Morning Guys,
We're migrating from one Windows 2003 domain to another (acquisition).
DomainA.lab - Forest Trust 2000, Domain Trust 2003
DomainB.lab - Forest Trust 2003, Domain Trust 2003
Migration from DomainA.lab to DomainB.lab - Trust relationship external,
2-way, Domain Wide Authentication
Side Filtering disabled on both domain and I can also see the SID History
attribute which is correct
Problem:
Users in domainA cant can't access SOME shares on domainB computers. The
SIDHistory attribute in DomainB matches the SID of the group in DomainA, but
still no luck.
Any suggestions.

The user were assigned access to the shares via Security Groups. In this
case the user profile has him as a member of DomainA\Group1 while he is also
a member of DomainB\Group1. The difference is on the share, the security
permission is set for DomainB\Group1. Since SID history is in place
shouldn't the user be able to access the share even though he logins in as
DomainA\user?


"Santhosh Sivarajan" <> wrote in
message news:#$...
> Did you manually assign share permission in Domain B for Domain A users? ?
>
> How did you assign Domain A users to access the shares? Is it through a
> security group or using Domain a user accounts?
>
> --
> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
> Houston, TX
> http://blogs.sivarajan.com/
> http://publications.sivarajan.com/
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Nik" <test> wrote in message
> news:...
>> Morning Guys,
>> We're migrating from one Windows 2003 domain to another (acquisition).
>> DomainA.lab - Forest Trust 2000, Domain Trust 2003
>> DomainB.lab - Forest Trust 2003, Domain Trust 2003
>> Migration from DomainA.lab to DomainB.lab - Trust relationship external,
>> 2-way, Domain Wide Authentication
>> Side Filtering disabled on both domain and I can also see the SID History
>> attribute which is correct
>> Problem:
>> Users in domainA cant can't access SOME shares on domainB computers. The
>> SIDHistory attribute in DomainB matches the SID of the group in DomainA,
>> but still no luck.
>> Any suggestions.
>

Yep Group1 was migrated from DomainA\Group1 to DomainB\Group1
Yep SID History is in place and if I check DomainB\Group1 I can see the new
SID and the SIDHistory. The DomainB\Group1 SIDHistory matches the Group1 SID
in DomainA\Group1
Which account should I used DomainA\User1 or DomainB\User1. At present
DomainB\User1 have no problem accessing the share. However when
DomainA\user1 logs in there is where the problem comes. So If I were to
change the permission that means I would have to assign DomainA\user1 access
to the share.



"Santhosh Sivarajan" <> wrote in
message news:...
> Did you migrate Group1 from DomainA to DomainB? Do you have a SID history
> in place for Group1? Since you are assigning permission through Group1,
> SID history must present in the group level. Try to assign share
> permission to one of these problem users using their user account not
> through groups.
>
> --
> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
> Houston, TX
> http://blogs.sivarajan.com/
> http://publications.sivarajan.com/
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Nik" <test> wrote in message
> news:...
>> The user were assigned access to the shares via Security Groups. In this
>> case the user profile has him as a member of DomainA\Group1 while he is
>> also a member of DomainB\Group1. The difference is on the share, the
>> security permission is set for DomainB\Group1. Since SID history is in
>> place shouldn't the user be able to access the share even though he
>> logins in as DomainA\user?
>>
>>
>> "Santhosh Sivarajan" <> wrote in
>> message news:#$...
>>> Did you manually assign share permission in Domain B for Domain A users?
>>> ?
>>>
>>> How did you assign Domain A users to access the shares? Is it through a
>>> security group or using Domain a user accounts?
>>>
>>> --
>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>> CCNA
>>> Houston, TX
>>> http://blogs.sivarajan.com/
>>> http://publications.sivarajan.com/
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> "Nik" <test> wrote in message
>>> news:...
>>>> Morning Guys,
>>>> We're migrating from one Windows 2003 domain to another (acquisition).
>>>> DomainA.lab - Forest Trust 2000, Domain Trust 2003
>>>> DomainB.lab - Forest Trust 2003, Domain Trust 2003
>>>> Migration from DomainA.lab to DomainB.lab - Trust relationship
>>>> external, 2-way, Domain Wide Authentication
>>>> Side Filtering disabled on both domain and I can also see the SID
>>>> History attribute which is correct
>>>> Problem:
>>>> Users in domainA cant can't access SOME shares on domainB computers.
>>>> The SIDHistory attribute in DomainB matches the SID of the group in
>>>> DomainA, but still no luck.
>>>> Any suggestions.
>>>

Nope the migration is not finished and some users need to be back and forth.
So is it that I have to explicitly place the permission for the
DomainA\user1 before it works? If so did I miss the class on understanding
SID history.




"Santhosh Sivarajan" <> wrote in
message news:#...
> Did you finish the migration? If so, why do you need to use DomainA\user
> credentials? You should be using only DomainB credentials..
>
> --
> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
> Houston, TX
> http://blogs.sivarajan.com/
> http://publications.sivarajan.com/
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Nik" <test> wrote in message
> news:...
>> Yep Group1 was migrated from DomainA\Group1 to DomainB\Group1
>> Yep SID History is in place and if I check DomainB\Group1 I can see the
>> new SID and the SIDHistory. The DomainB\Group1 SIDHistory matches the
>> Group1 SID in DomainA\Group1
>> Which account should I used DomainA\User1 or DomainB\User1. At present
>> DomainB\User1 have no problem accessing the share. However when
>> DomainA\user1 logs in there is where the problem comes. So If I were to
>> change the permission that means I would have to assign DomainA\user1
>> access to the share.
>>
>>
>>
>> "Santhosh Sivarajan" <> wrote in
>> message news:...
>>> Did you migrate Group1 from DomainA to DomainB? Do you have a SID
>>> history in place for Group1? Since you are assigning permission through
>>> Group1, SID history must present in the group level. Try to assign
>>> share permission to one of these problem users using their user account
>>> not through groups.
>>>
>>> --
>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>> CCNA
>>> Houston, TX
>>> http://blogs.sivarajan.com/
>>> http://publications.sivarajan.com/
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> "Nik" <test> wrote in message
>>> news:...
>>>> The user were assigned access to the shares via Security Groups. In
>>>> this case the user profile has him as a member of DomainA\Group1 while
>>>> he is also a member of DomainB\Group1. The difference is on the share,
>>>> the security permission is set for DomainB\Group1. Since SID history is
>>>> in place shouldn't the user be able to access the share even though he
>>>> logins in as DomainA\user?
>>>>
>>>>
>>>> "Santhosh Sivarajan" <> wrote in
>>>> message news:#$...
>>>>> Did you manually assign share permission in Domain B for Domain A
>>>>> users? ?
>>>>>
>>>>> How did you assign Domain A users to access the shares? Is it through
>>>>> a security group or using Domain a user accounts?
>>>>>
>>>>> --
>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>>>> CCNA
>>>>> Houston, TX
>>>>> http://blogs.sivarajan.com/
>>>>> http://publications.sivarajan.com/
>>>>>
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>>
>>>>>
>>>>> "Nik" <test> wrote in message
>>>>> news:...
>>>>>> Morning Guys,
>>>>>> We're migrating from one Windows 2003 domain to another
>>>>>> (acquisition).
>>>>>> DomainA.lab - Forest Trust 2000, Domain Trust 2003
>>>>>> DomainB.lab - Forest Trust 2003, Domain Trust 2003
>>>>>> Migration from DomainA.lab to DomainB.lab - Trust relationship
>>>>>> external, 2-way, Domain Wide Authentication
>>>>>> Side Filtering disabled on both domain and I can also see the SID
>>>>>> History attribute which is correct
>>>>>> Problem:
>>>>>> Users in domainA cant can't access SOME shares on domainB computers.
>>>>>> The SIDHistory attribute in DomainB matches the SID of the group in
>>>>>> DomainA, but still no luck.
>>>>>> Any suggestions.
>>>>>

The Share permission has "Everyone" full "Domain User" Full.
NTFS has "Creator Owner" "System"
Group1 (DomainB\Group1) - Full
Administrators (hostname\administrators)
I rechecked the groups and verify that in DomainaA Group1 has a SID of abc
with no SID History, while in DomainB Group1 has a Sid of def with
SidHistory of abc.
Upon checking the DomainA\user1 account I see it has a SID of 123 and (in
this case) a SIDHistory of lmn
Now checking DomainB\User1 account has a Sid of 456 with Sid History of 123
and lmn. Could this extra SID History be the cause of the problem.
Thanks for all the help so far.



"Santhosh Sivarajan" <> wrote in
message news:...
> If you have SID history in-place for Group1 & User1, and User1 is a member
> of Group1, you should be able access the share without any issues.
>
> Did you check the Share and NTFS permissions on the folder?
>
> --
> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
> Houston, TX
> http://blogs.sivarajan.com/
> http://publications.sivarajan.com/
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Nik" <test> wrote in message
> news:...
>> Nope the migration is not finished and some users need to be back and
>> forth. So is it that I have to explicitly place the permission for the
>> DomainA\user1 before it works? If so did I miss the class on
>> understanding SID history.
>>
>>
>>
>>
>> "Santhosh Sivarajan" <> wrote in
>> message news:#...
>>> Did you finish the migration? If so, why do you need to use
>>> DomainA\user credentials? You should be using only DomainB
>>> credentials..
>>>
>>> --
>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>> CCNA
>>> Houston, TX
>>> http://blogs.sivarajan.com/
>>> http://publications.sivarajan.com/
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> "Nik" <test> wrote in message
>>> news:...
>>>> Yep Group1 was migrated from DomainA\Group1 to DomainB\Group1
>>>> Yep SID History is in place and if I check DomainB\Group1 I can see the
>>>> new SID and the SIDHistory. The DomainB\Group1 SIDHistory matches the
>>>> Group1 SID in DomainA\Group1
>>>> Which account should I used DomainA\User1 or DomainB\User1. At present
>>>> DomainB\User1 have no problem accessing the share. However when
>>>> DomainA\user1 logs in there is where the problem comes. So If I were to
>>>> change the permission that means I would have to assign DomainA\user1
>>>> access to the share.
>>>>
>>>>
>>>>
>>>> "Santhosh Sivarajan" <> wrote in
>>>> message news:...
>>>>> Did you migrate Group1 from DomainA to DomainB? Do you have a SID
>>>>> history in place for Group1? Since you are assigning permission
>>>>> through Group1, SID history must present in the group level. Try to
>>>>> assign share permission to one of these problem users using their user
>>>>> account not through groups.
>>>>>
>>>>> --
>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>>>> CCNA
>>>>> Houston, TX
>>>>> http://blogs.sivarajan.com/
>>>>> http://publications.sivarajan.com/
>>>>>
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>>
>>>>>
>>>>> "Nik" <test> wrote in message
>>>>> news:...
>>>>>> The user were assigned access to the shares via Security Groups. In
>>>>>> this case the user profile has him as a member of DomainA\Group1
>>>>>> while he is also a member of DomainB\Group1. The difference is on the
>>>>>> share, the security permission is set for DomainB\Group1. Since SID
>>>>>> history is in place shouldn't the user be able to access the share
>>>>>> even though he logins in as DomainA\user?
>>>>>>
>>>>>>
>>>>>> "Santhosh Sivarajan" <> wrote in
>>>>>> message news:#$...
>>>>>>> Did you manually assign share permission in Domain B for Domain A
>>>>>>> users? ?
>>>>>>>
>>>>>>> How did you assign Domain A users to access the shares? Is it
>>>>>>> through a security group or using Domain a user accounts?
>>>>>>>
>>>>>>> --
>>>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>>>>>> CCNA
>>>>>>> Houston, TX
>>>>>>> http://blogs.sivarajan.com/
>>>>>>> http://publications.sivarajan.com/
>>>>>>>
>>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>>> rights.
>>>>>>>
>>>>>>>
>>>>>>> "Nik" <test> wrote in message
>>>>>>> news:...
>>>>>>>> Morning Guys,
>>>>>>>> We're migrating from one Windows 2003 domain to another
>>>>>>>> (acquisition).
>>>>>>>> DomainA.lab - Forest Trust 2000, Domain Trust 2003
>>>>>>>> DomainB.lab - Forest Trust 2003, Domain Trust 2003
>>>>>>>> Migration from DomainA.lab to DomainB.lab - Trust relationship
>>>>>>>> external, 2-way, Domain Wide Authentication
>>>>>>>> Side Filtering disabled on both domain and I can also see the SID
>>>>>>>> History attribute which is correct
>>>>>>>> Problem:
>>>>>>>> Users in domainA cant can't access SOME shares on domainB
>>>>>>>> computers. The SIDHistory attribute in DomainB matches the SID of
>>>>>>>> the group in DomainA, but still no luck.
>>>>>>>> Any suggestions.
>>>>>>>

Hey Santhsoh,
I don't think it's a SID problem, I did that test and had no problems. The
migration was done with ADMT. I will investigate it further.
Thanks

"Santhosh Sivarajan" <> wrote in
message news:65714CA0-E38D-4FC9-ADF6-...
> I don't think it is the issue with additional SID.
>
> Here is a test. Create a new Group and User in DomainA. Add new user to
> that group. Migrate this Group and User. Create a share in DomainB &
> assign permission. Check the permission using your source account.
>
> How did you migrate the user and Group? ADMT? did you modify the group
> membership after the migration? Assuming you migrated the user object
> with group membership option.
>
> --
> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
> Houston, TX
> http://blogs.sivarajan.com/
> http://publications.sivarajan.com/
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Nik" <test> wrote in message
> news:...
>> The Share permission has "Everyone" full "Domain User" Full.
>> NTFS has "Creator Owner" "System"
>> Group1 (DomainB\Group1) - Full
>> Administrators (hostname\administrators)
>> I rechecked the groups and verify that in DomainaA Group1 has a SID of
>> abc with no SID History, while in DomainB Group1 has a Sid of def with
>> SidHistory of abc.
>> Upon checking the DomainA\user1 account I see it has a SID of 123 and (in
>> this case) a SIDHistory of lmn
>> Now checking DomainB\User1 account has a Sid of 456 with Sid History of
>> 123 and lmn. Could this extra SID History be the cause of the problem.
>> Thanks for all the help so far.
>>
>>
>>
>> "Santhosh Sivarajan" <> wrote in
>> message news:...
>>> If you have SID history in-place for Group1 & User1, and User1 is a
>>> member of Group1, you should be able access the share without any
>>> issues.
>>>
>>> Did you check the Share and NTFS permissions on the folder?
>>>
>>> --
>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>> CCNA
>>> Houston, TX
>>> http://blogs.sivarajan.com/
>>> http://publications.sivarajan.com/
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> "Nik" <test> wrote in message
>>> news:...
>>>> Nope the migration is not finished and some users need to be back and
>>>> forth. So is it that I have to explicitly place the permission for the
>>>> DomainA\user1 before it works? If so did I miss the class on
>>>> understanding SID history.
>>>>
>>>>
>>>>
>>>>
>>>> "Santhosh Sivarajan" <> wrote in
>>>> message news:#...
>>>>> Did you finish the migration? If so, why do you need to use
>>>>> DomainA\user credentials? You should be using only DomainB
>>>>> credentials..
>>>>>
>>>>> --
>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>>>> CCNA
>>>>> Houston, TX
>>>>> http://blogs.sivarajan.com/
>>>>> http://publications.sivarajan.com/
>>>>>
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>>
>>>>>
>>>>> "Nik" <test> wrote in message
>>>>> news:...
>>>>>> Yep Group1 was migrated from DomainA\Group1 to DomainB\Group1
>>>>>> Yep SID History is in place and if I check DomainB\Group1 I can see
>>>>>> the new SID and the SIDHistory. The DomainB\Group1 SIDHistory matches
>>>>>> the Group1 SID in DomainA\Group1
>>>>>> Which account should I used DomainA\User1 or DomainB\User1. At
>>>>>> present DomainB\User1 have no problem accessing the share. However
>>>>>> when DomainA\user1 logs in there is where the problem comes. So If I
>>>>>> were to change the permission that means I would have to assign
>>>>>> DomainA\user1 access to the share.
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Santhosh Sivarajan" <> wrote in
>>>>>> message news:...
>>>>>>> Did you migrate Group1 from DomainA to DomainB? Do you have a SID
>>>>>>> history in place for Group1? Since you are assigning permission
>>>>>>> through Group1, SID history must present in the group level. Try to
>>>>>>> assign share permission to one of these problem users using their
>>>>>>> user account not through groups.
>>>>>>>
>>>>>>> --
>>>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>>>>>> CCNA
>>>>>>> Houston, TX
>>>>>>> http://blogs.sivarajan.com/
>>>>>>> http://publications.sivarajan.com/
>>>>>>>
>>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>>> rights.
>>>>>>>
>>>>>>>
>>>>>>> "Nik" <test> wrote in message
>>>>>>> news:...
>>>>>>>> The user were assigned access to the shares via Security Groups. In
>>>>>>>> this case the user profile has him as a member of DomainA\Group1
>>>>>>>> while he is also a member of DomainB\Group1. The difference is on
>>>>>>>> the share, the security permission is set for DomainB\Group1. Since
>>>>>>>> SID history is in place shouldn't the user be able to access the
>>>>>>>> share even though he logins in as DomainA\user?
>>>>>>>>
>>>>>>>>
>>>>>>>> "Santhosh Sivarajan" <> wrote
>>>>>>>> in message news:#$...
>>>>>>>>> Did you manually assign share permission in Domain B for Domain A
>>>>>>>>> users? ?
>>>>>>>>>
>>>>>>>>> How did you assign Domain A users to access the shares? Is it
>>>>>>>>> through a security group or using Domain a user accounts?
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA
>>>>>>>>> (W2K3/W2K/MSG), CCNA
>>>>>>>>> Houston, TX
>>>>>>>>> http://blogs.sivarajan.com/
>>>>>>>>> http://publications.sivarajan.com/
>>>>>>>>>
>>>>>>>>> This posting is provided "AS IS" with no warranties, and confers
>>>>>>>>> no rights.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "Nik" <test> wrote in message
>>>>>>>>> news:...
>>>>>>>>>> Morning Guys,
>>>>>>>>>> We're migrating from one Windows 2003 domain to another
>>>>>>>>>> (acquisition).
>>>>>>>>>> DomainA.lab - Forest Trust 2000, Domain Trust 2003
>>>>>>>>>> DomainB.lab - Forest Trust 2003, Domain Trust 2003
>>>>>>>>>> Migration from DomainA.lab to DomainB.lab - Trust relationship
>>>>>>>>>> external, 2-way, Domain Wide Authentication
>>>>>>>>>> Side Filtering disabled on both domain and I can also see the SID
>>>>>>>>>> History attribute which is correct
>>>>>>>>>> Problem:
>>>>>>>>>> Users in domainA cant can't access SOME shares on domainB
>>>>>>>>>> computers. The SIDHistory attribute in DomainB matches the SID of
>>>>>>>>>> the group in DomainA, but still no luck.
>>>>>>>>>> Any suggestions.
>>>>>>>>>

The whole problem here is that I'm trying to clean up someone else mess. I
mentioned it is a permission issue and since he seems adamant that it is not
I decided to just get other opinions. But I did that test yesterday and
noticed your message this morning. The test works fine and I'm still saying
its a permission issue to him. Hopefully the test makes him rethink and
review his steps. Thanks for all the help

"Santhosh Sivarajan" <> wrote in
message news:#...
> It is not the SID issue. You might have modified the group membership.
>
> --
> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
> Houston, TX
> http://blogs.sivarajan.com/
> http://publications.sivarajan.com/
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Nik" <test> wrote in message
> news:...
>> Hey Santhsoh,
>> I don't think it's a SID problem, I did that test and had no problems.
>> The migration was done with ADMT. I will investigate it further.
>> Thanks
>>
>> "Santhosh Sivarajan" <> wrote in
>> message news:65714CA0-E38D-4FC9-ADF6-...
>>> I don't think it is the issue with additional SID.
>>>
>>> Here is a test. Create a new Group and User in DomainA. Add new user
>>> to that group. Migrate this Group and User. Create a share in DomainB
>>> & assign permission. Check the permission using your source account.
>>>
>>> How did you migrate the user and Group? ADMT? did you modify the group
>>> membership after the migration? Assuming you migrated the user object
>>> with group membership option.
>>>
>>> --
>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>> CCNA
>>> Houston, TX
>>> http://blogs.sivarajan.com/
>>> http://publications.sivarajan.com/
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> "Nik" <test> wrote in message
>>> news:...
>>>> The Share permission has "Everyone" full "Domain User" Full.
>>>> NTFS has "Creator Owner" "System"
>>>> Group1 (DomainB\Group1) - Full
>>>> Administrators (hostname\administrators)
>>>> I rechecked the groups and verify that in DomainaA Group1 has a SID of
>>>> abc with no SID History, while in DomainB Group1 has a Sid of def with
>>>> SidHistory of abc.
>>>> Upon checking the DomainA\user1 account I see it has a SID of 123 and
>>>> (in this case) a SIDHistory of lmn
>>>> Now checking DomainB\User1 account has a Sid of 456 with Sid History of
>>>> 123 and lmn. Could this extra SID History be the cause of the problem.
>>>> Thanks for all the help so far.
>>>>
>>>>
>>>>
>>>> "Santhosh Sivarajan" <> wrote in
>>>> message news:...
>>>>> If you have SID history in-place for Group1 & User1, and User1 is a
>>>>> member of Group1, you should be able access the share without any
>>>>> issues.
>>>>>
>>>>> Did you check the Share and NTFS permissions on the folder?
>>>>>
>>>>> --
>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>>>> CCNA
>>>>> Houston, TX
>>>>> http://blogs.sivarajan.com/
>>>>> http://publications.sivarajan.com/
>>>>>
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>>
>>>>>
>>>>> "Nik" <test> wrote in message
>>>>> news:...
>>>>>> Nope the migration is not finished and some users need to be back and
>>>>>> forth. So is it that I have to explicitly place the permission for
>>>>>> the DomainA\user1 before it works? If so did I miss the class on
>>>>>> understanding SID history.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Santhosh Sivarajan" <> wrote in
>>>>>> message news:#...
>>>>>>> Did you finish the migration? If so, why do you need to use
>>>>>>> DomainA\user credentials? You should be using only DomainB
>>>>>>> credentials..
>>>>>>>
>>>>>>> --
>>>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>>>>>> CCNA
>>>>>>> Houston, TX
>>>>>>> http://blogs.sivarajan.com/
>>>>>>> http://publications.sivarajan.com/
>>>>>>>
>>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>>> rights.
>>>>>>>
>>>>>>>
>>>>>>> "Nik" <test> wrote in message
>>>>>>> news:...
>>>>>>>> Yep Group1 was migrated from DomainA\Group1 to DomainB\Group1
>>>>>>>> Yep SID History is in place and if I check DomainB\Group1 I can see
>>>>>>>> the new SID and the SIDHistory. The DomainB\Group1 SIDHistory
>>>>>>>> matches the Group1 SID in DomainA\Group1
>>>>>>>> Which account should I used DomainA\User1 or DomainB\User1. At
>>>>>>>> present DomainB\User1 have no problem accessing the share. However
>>>>>>>> when DomainA\user1 logs in there is where the problem comes. So If
>>>>>>>> I were to change the permission that means I would have to assign
>>>>>>>> DomainA\user1 access to the share.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> "Santhosh Sivarajan" <> wrote
>>>>>>>> in message news:...
>>>>>>>>> Did you migrate Group1 from DomainA to DomainB? Do you have a SID
>>>>>>>>> history in place for Group1? Since you are assigning permission
>>>>>>>>> through Group1, SID history must present in the group level. Try
>>>>>>>>> to assign share permission to one of these problem users using
>>>>>>>>> their user account not through groups.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA
>>>>>>>>> (W2K3/W2K/MSG), CCNA
>>>>>>>>> Houston, TX
>>>>>>>>> http://blogs.sivarajan.com/
>>>>>>>>> http://publications.sivarajan.com/
>>>>>>>>>
>>>>>>>>> This posting is provided "AS IS" with no warranties, and confers
>>>>>>>>> no rights.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "Nik" <test> wrote in message
>>>>>>>>> news:...
>>>>>>>>>> The user were assigned access to the shares via Security Groups.
>>>>>>>>>> In this case the user profile has him as a member of
>>>>>>>>>> DomainA\Group1 while he is also a member of DomainB\Group1. The
>>>>>>>>>> difference is on the share, the security permission is set for
>>>>>>>>>> DomainB\Group1. Since SID history is in place shouldn't the user
>>>>>>>>>> be able to access the share even though he logins in as
>>>>>>>>>> DomainA\user?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "Santhosh Sivarajan" <>
>>>>>>>>>> wrote in message news:#$...
>>>>>>>>>>> Did you manually assign share permission in Domain B for Domain
>>>>>>>>>>> A users? ?
>>>>>>>>>>>
>>>>>>>>>>> How did you assign Domain A users to access the shares? Is it
>>>>>>>>>>> through a security group or using Domain a user accounts?
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA
>>>>>>>>>>> (W2K3/W2K/MSG), CCNA
>>>>>>>>>>> Houston, TX
>>>>>>>>>>> http://blogs.sivarajan.com/
>>>>>>>>>>> http://publications.sivarajan.com/
>>>>>>>>>>>
>>>>>>>>>>> This posting is provided "AS IS" with no warranties, and confers
>>>>>>>>>>> no rights.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "Nik" <test> wrote in message
>>>>>>>>>>> news:...
>>>>>>>>>>>> Morning Guys,
>>>>>>>>>>>> We're migrating from one Windows 2003 domain to another
>>>>>>>>>>>> (acquisition).
>>>>>>>>>>>> DomainA.lab - Forest Trust 2000, Domain Trust 2003
>>>>>>>>>>>> DomainB.lab - Forest Trust 2003, Domain Trust 2003
>>>>>>>>>>>> Migration from DomainA.lab to DomainB.lab - Trust relationship
>>>>>>>>>>>> external, 2-way, Domain Wide Authentication
>>>>>>>>>>>> Side Filtering disabled on both domain and I can also see the
>>>>>>>>>>>> SID History attribute which is correct
>>>>>>>>>>>> Problem:
>>>>>>>>>>>> Users in domainA cant can't access SOME shares on domainB
>>>>>>>>>>>> computers. The SIDHistory attribute in DomainB matches the SID
>>>>>>>>>>>> of the group in DomainA, but still no luck.
>>>>>>>>>>>> Any suggestions.
>>>>>>>>>>>

Thanks

"Santhosh Sivarajan" <> wrote in
message news:#...
> Yep..seems like a permission issue...good luck..
>
> --
> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
> Houston, TX
> http://blogs.sivarajan.com/
> http://publications.sivarajan.com/
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Nik" <test> wrote in message
> news:...
>> The whole problem here is that I'm trying to clean up someone else mess.
>> I mentioned it is a permission issue and since he seems adamant that it
>> is not I decided to just get other opinions. But I did that test
>> yesterday and noticed your message this morning. The test works fine and
>> I'm still saying its a permission issue to him. Hopefully the test makes
>> him rethink and review his steps. Thanks for all the help
>>
>> "Santhosh Sivarajan" <> wrote in
>> message news:#...
>>> It is not the SID issue. You might have modified the group membership.
>>>
>>> --
>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>> CCNA
>>> Houston, TX
>>> http://blogs.sivarajan.com/
>>> http://publications.sivarajan.com/
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> "Nik" <test> wrote in message
>>> news:...
>>>> Hey Santhsoh,
>>>> I don't think it's a SID problem, I did that test and had no problems.
>>>> The migration was done with ADMT. I will investigate it further.
>>>> Thanks
>>>>
>>>> "Santhosh Sivarajan" <> wrote in
>>>> message news:65714CA0-E38D-4FC9-ADF6-...
>>>>> I don't think it is the issue with additional SID.
>>>>>
>>>>> Here is a test. Create a new Group and User in DomainA. Add new user
>>>>> to that group. Migrate this Group and User. Create a share in
>>>>> DomainB & assign permission. Check the permission using your source
>>>>> account.
>>>>>
>>>>> How did you migrate the user and Group? ADMT? did you modify the
>>>>> group membership after the migration? Assuming you migrated the user
>>>>> object with group membership option.
>>>>>
>>>>> --
>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>>>> CCNA
>>>>> Houston, TX
>>>>> http://blogs.sivarajan.com/
>>>>> http://publications.sivarajan.com/
>>>>>
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>>
>>>>>
>>>>> "Nik" <test> wrote in message
>>>>> news:...
>>>>>> The Share permission has "Everyone" full "Domain User" Full.
>>>>>> NTFS has "Creator Owner" "System"
>>>>>> Group1 (DomainB\Group1) - Full
>>>>>> Administrators (hostname\administrators)
>>>>>> I rechecked the groups and verify that in DomainaA Group1 has a SID
>>>>>> of abc with no SID History, while in DomainB Group1 has a Sid of def
>>>>>> with SidHistory of abc.
>>>>>> Upon checking the DomainA\user1 account I see it has a SID of 123 and
>>>>>> (in this case) a SIDHistory of lmn
>>>>>> Now checking DomainB\User1 account has a Sid of 456 with Sid History
>>>>>> of 123 and lmn. Could this extra SID History be the cause of the
>>>>>> problem.
>>>>>> Thanks for all the help so far.
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Santhosh Sivarajan" <> wrote in
>>>>>> message news:...
>>>>>>> If you have SID history in-place for Group1 & User1, and User1 is a
>>>>>>> member of Group1, you should be able access the share without any
>>>>>>> issues.
>>>>>>>
>>>>>>> Did you check the Share and NTFS permissions on the folder?
>>>>>>>
>>>>>>> --
>>>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG),
>>>>>>> CCNA
>>>>>>> Houston, TX
>>>>>>> http://blogs.sivarajan.com/
>>>>>>> http://publications.sivarajan.com/
>>>>>>>
>>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>>> rights.
>>>>>>>
>>>>>>>
>>>>>>> "Nik" <test> wrote in message
>>>>>>> news:...
>>>>>>>> Nope the migration is not finished and some users need to be back
>>>>>>>> and forth. So is it that I have to explicitly place the permission
>>>>>>>> for the DomainA\user1 before it works? If so did I miss the class
>>>>>>>> on understanding SID history.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> "Santhosh Sivarajan" <> wrote
>>>>>>>> in message news:#...
>>>>>>>>> Did you finish the migration? If so, why do you need to use
>>>>>>>>> DomainA\user credentials? You should be using only DomainB
>>>>>>>>> credentials..
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA
>>>>>>>>> (W2K3/W2K/MSG), CCNA
>>>>>>>>> Houston, TX
>>>>>>>>> http://blogs.sivarajan.com/
>>>>>>>>> http://publications.sivarajan.com/
>>>>>>>>>
>>>>>>>>> This posting is provided "AS IS" with no warranties, and confers
>>>>>>>>> no rights.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "Nik" <test> wrote in message
>>>>>>>>> news:...
>>>>>>>>>> Yep Group1 was migrated from DomainA\Group1 to DomainB\Group1
>>>>>>>>>> Yep SID History is in place and if I check DomainB\Group1 I can
>>>>>>>>>> see the new SID and the SIDHistory. The DomainB\Group1 SIDHistory
>>>>>>>>>> matches the Group1 SID in DomainA\Group1
>>>>>>>>>> Which account should I used DomainA\User1 or DomainB\User1. At
>>>>>>>>>> present DomainB\User1 have no problem accessing the share.
>>>>>>>>>> However when DomainA\user1 logs in there is where the problem
>>>>>>>>>> comes. So If I were to change the permission that means I would
>>>>>>>>>> have to assign DomainA\user1 access to the share.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "Santhosh Sivarajan" <>
>>>>>>>>>> wrote in message news:...
>>>>>>>>>>> Did you migrate Group1 from DomainA to DomainB? Do you have a
>>>>>>>>>>> SID history in place for Group1? Since you are assigning
>>>>>>>>>>> permission through Group1, SID history must present in the group
>>>>>>>>>>> level. Try to assign share permission to one of these problem
>>>>>>>>>>> users using their user account not through groups.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA
>>>>>>>>>>> (W2K3/W2K/MSG), CCNA
>>>>>>>>>>> Houston, TX
>>>>>>>>>>> http://blogs.sivarajan.com/
>>>>>>>>>>> http://publications.sivarajan.com/
>>>>>>>>>>>
>>>>>>>>>>> This posting is provided "AS IS" with no warranties, and confers
>>>>>>>>>>> no rights.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "Nik" <test> wrote in message
>>>>>>>>>>> news:...
>>>>>>>>>>>> The user were assigned access to the shares via Security
>>>>>>>>>>>> Groups. In this case the user profile has him as a member of
>>>>>>>>>>>> DomainA\Group1 while he is also a member of DomainB\Group1. The
>>>>>>>>>>>> difference is on the share, the security permission is set for
>>>>>>>>>>>> DomainB\Group1. Since SID history is in place shouldn't the
>>>>>>>>>>>> user be able to access the share even though he logins in as
>>>>>>>>>>>> DomainA\user?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "Santhosh Sivarajan" <>
>>>>>>>>>>>> wrote in message news:#$...
>>>>>>>>>>>>> Did you manually assign share permission in Domain B for
>>>>>>>>>>>>> Domain A users? ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> How did you assign Domain A users to access the shares? Is it
>>>>>>>>>>>>> through a security group or using Domain a user accounts?
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA
>>>>>>>>>>>>> (W2K3/W2K/MSG), CCNA
>>>>>>>>>>>>> Houston, TX
>>>>>>>>>>>>> http://blogs.sivarajan.com/
>>>>>>>>>>>>> http://publications.sivarajan.com/
>>>>>>>>>>>>>
>>>>>>>>>>>>> This posting is provided "AS IS" with no warranties, and
>>>>>>>>>>>>> confers no rights.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Nik" <test> wrote in message
>>>>>>>>>>>>> news:...
>>>>>>>>>>>>>> Morning Guys,
>>>>>>>>>>>>>> We're migrating from one Windows 2003 domain to another
>>>>>>>>>>>>>> (acquisition).
>>>>>>>>>>>>>> DomainA.lab - Forest Trust 2000, Domain Trust 2003
>>>>>>>>>>>>>> DomainB.lab - Forest Trust 2003, Domain Trust 2003
>>>>>>>>>>>>>> Migration from DomainA.lab to DomainB.lab - Trust
>>>>>>>>>>>>>> relationship external, 2-way, Domain Wide Authentication
>>>>>>>>>>>>>> Side Filtering disabled on both domain and I can also see the
>>>>>>>>>>>>>> SID History attribute which is correct
>>>>>>>>>>>>>> Problem:
>>>>>>>>>>>>>> Users in domainA cant can't access SOME shares on domainB
>>>>>>>>>>>>>> computers. The SIDHistory attribute in DomainB matches the
>>>>>>>>>>>>>> SID of the group in DomainA, but still no luck.
>>>>>>>>>>>>>> Any suggestions.
>>>>>>>>>>>>>