Understanding Security Issues

Each user account, group, and computer account is represented by a unique identifier, known as a Security Identifier (SID). The SID is independent of the user account, group, or computer account name. Windows NT and Windows 2000 use these SIDs to record access privilege information in the Security Descriptor for each resource, such as a file, share, or an Exchange mailbox. The Security Descriptor for a file records the owner, the system access control list (SACL), and the access control list (ACL) for that file.

When you copy a user account, group, or computer account from domain A to domain B, a new account is created in domain B. This new account has the same name as the original account in domain A, but the new account has a different SID. Therefore, the new account does not have the same permissions as the original account.

The Active Directory Migration Tool allows you to change the Security Descriptors for various files, directories, and shares to reflect the SID for the new account in domain B. The Active Directory Migration Tool also allows you to change the Security Descriptors for Exchange mailboxes, distribution lists, custom recipients, organizations, sites, and containers, as well as the primary Windows NT or Windows 2000 account for each mailbox to reflect the SID for the new account in domain B. This process ensures the new account provides the same access to files, directories, shares, and Exchange components that the original account provided.

The Active Directory Migration Tool also copies local group memberships and user rights for migrated accounts. If you migrate a local group and its members to another domain, the Active Directory Migration Tool copies the local group and the member accounts to the target domain. The Active Directory Migration Tool also makes the new accounts members of the local group in the target domain.