although SUBINACL does have the ability to what I mentioned, ADMTv3 is a better option... my apologies for the "quick" information lets try this again ;-)
File based data ACLs -> ADMTv3 Print services ACLs-> ADMTv3 Services ACLs-> SUBINACL (only needed when ACEs set manually or through a GPO) Services Accounts-> ADMTv3 (make sure you identify the custom service accounts FIRST on each server to be migrated. This also prevents the option "change password at next logon" being set as the user account is migrated. All accounts NOT identified as service accounts will have the option set. If needed you can revert this afterwards with ADMOD/ADModify) Shares ACLs-> ADMTv3 Registry ACLs-> ADMTv3 IIS -> third party SQL -> third party Citrix -> don't know REMARK: if you have migrated users/groups WITH sIDHistory it may look like permissions have been translated. These are really translated when the actual translation task has been started/executed. When the translation task had not been executed (yet), you will see that permissions may show as <TARGET>\<SEC PRINC> instead of <SOURCE>\<SEC PRINC>. This is because of the use of sIDHistory within the target domain. The system translates this to the TARGET ACCOUNT NAME. In reality, when digging you will still see the SID of the source sec. principals. Just something to be aware of. This applies to everything that uses sIDs after migrating objects while data has not been translated yet For example: * looking at the ACL of the DNS service after the migration of the computer (which I changed prior to the migration of the computer account using an account of the source domain) subinacl /service \\w2k3r2srv\dns /display=dacl /pace =ad\jorgegroup ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_ALL_ACCESS /pace =ad\jorgeuser ACCESS_ALLOWED_ACE_TYPE-0x0 SERVICE_ALL_ACCESS subinacl /service \\w2k3r2srv\dns /display=sddl +Service dns /sddl=O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;; ;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1153913138-43527854-1722840164-101 9)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1153913138-43527854-1722840164-1020) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) S-1-5-21-1153913138-43527854-1722840164-1019 = NT4\jorgegroup S-1-5-21-1153913138-43527854-1722840164-1020 = NT4\jorgeuser looking with LDP into the objects >> Dn: CN=JORGEGROUP,OU=ORG,DC=AD,DC=LAN 2> objectClass: top; group; 1> cn: JORGEGROUP; 1> distinguishedName: CN=JORGEGROUP,OU=ORG,DC=AD,DC=LAN; 1> objectGUID: 7c333aeb-589d-4da2-ad97-13c3f10a4e50; 1> objectSid: S-1-5-21-3495709831-2249124843-3216744473-8997; 1> sAMAccountName: JORGEGROUP; 1> sAMAccountType: 268435456; 1> sIDHistory: S-1-5-21-1153913138-43527854-1722840164-1019; <<<<<<<+++++++++++++++++++++++++++OLD SID 1> groupType: 0x80000002 = ( GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED ); 1> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=AD,DC=LAN; Dn: CN=JORGEUSER,OU=ORG,DC=AD,DC=LAN 4> objectClass: top; person; organizationalPerson; user; 1> cn: JORGEUSER; 1> distinguishedName: CN=JORGEUSER,OU=ORG,DC=AD,DC=LAN; 1> name: JORGEUSER; 1> objectGUID: d719eb60-369a-448e-9554-96af1fae20b9; 1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD ); 1> objectSid: S-1-5-21-3495709831-2249124843-3216744473-8998; 1> sAMAccountName: JORGEUSER; 1> sAMAccountType: 805306368; 1> sIDHistory: S-1-5-21-1153913138-43527854-1722840164-1020; <<<<<<<+++++++++++++++++++++++++++OLD SID 1> userPrincipalName: [EMAIL PROTECTED]; 1> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AD,DC=LAN; Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address> ________________________________ From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Tue 2006-11-07 19:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next ADMT3 can replace subinacl... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 07, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next if you just want to migrate the servers from one domain to the other, you can use ADMT. However... if you also need to translate data, that is another story. File based data -> ADMT Print services -> SUBINACL Services -> SUBINACL Shares -> SUBINACL Registry -> SUBINACL IIS -> third party SQL -> third party Citrix -> don't know PS.: SUBINACL is in the resource kit, but make sure to download the latest version Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address> ________________________________ From: [EMAIL PROTECTED] on behalf of Danny Sent: Tue 2006-11-07 18:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next Thanks to advice from the ActiveDir community (this mailing list) and Microsoft's ADMT and ExMerge, we have successfully completed an interforest migration - of users, computers, and mailboxes. Next up: the servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange, MS SQL (integrated auth), Citrix, and backup. The source forest will no longer be necessary in a few weeks. Would you recommend using ADMT for the servers as well? I know that the DC's and Exchange server will be done manually.. Thanks, ...D This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>