Try this… After creating the new user in Accounting group in the Development Domain, re-migrate the group using ADMT.
HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4), MCSA(W2K3/W2K/MSG), CCNA, Network+ Houston, TX On 7/12/05, Mark Parris <[EMAIL PROTECTED]> wrote: > Have your turned off SID filtering on the Trust? > > NETDOM trust DomainX /domain:DomainY /quarantine:No > /usero:DomainX\AdministratorX /passwordo:* > > The * will cause a prompt for the password. > > Mark > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: 12 July 2005 19:53 > To: activedir@mail.activedir.org > Subject: [ActiveDir] ADMT Group SID History > > > > > > All, > I've been following the Sybex book, Mastering Windows 2003, to test > an inter-forest migration from external.dev to development.dev using the > ADMT. I have not received any errors during the migration and everything > appears to be setup correctly, however, I do not think the SID History is > functioning properly. > > I have a 200 domain named External.dev and a 2003 domain named > development.dev. I have a group on External.dev called "Accounting" and a > member of that group named "Pete". I have a member server in external.dev, > N060MSADDEV4, with a share named "Accounting". The Everyone group has been > removed from the ACL and the External\Accounting group has been given full > control. > > I migrate Accounting from external.dev to development.dev with the > box checked to migrate SID histories and I receive no errors. The new > Accounting group in development.dev should have a SID matching the one on > the Accounting group in external.dev and since that group has access to > N060MSADDEV4\Accounting any new member of Develppment\Accounting should be > able to access N060MSADDEV4\Accounting. I create a user named "Tom" in > development.dev and place him in the new Accounting group and attempt to > connect to the share and access is denied. If I then migrate N060MSADDEV4 > to development.dev and Add the equivalent security references for the > target object and leave the source references in tact I can then access the > share with Tom, but according to the book I should not have to do that. Am > I not doing something correctly in this test? > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > -- Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX
