Access Token related query

G-ONE 166 Reputation points
2021-01-07T03:05:22.783+00:00

@Fan Fan

I have general query regarding Access Token. I hope you guys will answer and explain it.

So during Active Directory migration, servers(containing resources) have been migrated from source domain to target domain. Source Domain Local groups are applied in resource DACL. These source domain local groups have been migrated to target domain without Sidhistory and during migration group scope has been changed to "Global". These migrated global groups nested inside source domain local groups.

If target domain users are member of migrated global group and target users login to target domain joined workstation, then what Sids will be included in access token? Will target user's Access token include both - Sid of migrated target group as well as Sid of source domain local groups? Will target user be able to access resource?

Another scenario: This time Servers (containing resources) are in source domain only. Source Domain Local groups are appended in resource DACL. These source domain local groups have been migrated to target domain without Sidhistory and during migration group scope has been changed to "Global". These migrated global groups nested inside source domain local groups.

If target domain users are member of migrated global group and target users login to target domain joined workstation, then what Sids will be included in access token? Will target user's Access token include both - Sid of migrated target group as well as Sid of source domain local groups? Will target user be able to access resource?

Please clarify - Does access token of user contain Sid of recursive domain local groups which are inter domain.

In any of above mentioned scenarios, if target users will be able to access resource then how? Because as per article logging-on-user-account-fails

It says that only domain local security groups that will show up (in the user’s token) are those groups that the user is a member of that also reside in the domain that contains the computer account that the user is logging on to.

So according to above mentioned logic and above mentioned scenarios, target users will never be able to resource as access token will not include Sid of source domain local group.

But here is the confusing part, then why and how trusted external users(trusted external domain) which are members of domain local security groups able to access resource which neither belongs to source domain nor target domain and they login to external domain joined workstation?

Kindly answer, explain and clarify above mentioned scenarios.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,125 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,852 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
421 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
408 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-01-08T10:11:21.937+00:00

    Hello @G-ONE ,

    Thank you for posting here.

    Here are the answer for your references.

    **Q1:**So during Active Directory migration, servers(containing resources) have been migrated from source domain to target domain. Source Domain Local groups are applied in resource DACL. These source domain local groups have been migrated to target domain without Sidhistory and during migration group scope has been changed to "Global". These migrated global groups nested inside source domain local groups.

    If target domain users are member of migrated global group and target users login to target domain joined workstation, then what Sids will be included in access token? Will target user's Access token include both - Sid of migrated target group as well as Sid of source domain local groups? Will target user be able to access resource?

    A1:**If you also perform Security Translation for this server, and select **"replace" Security translation options.
    Access token will include target user SID and migrated group SID. Target user will be able to access resource.

    If you also perform Security Translation for this server, and select "add" Security translation options.
    Access token will include target user SID and migrated group SID. Target user will be able to access resource.

    If you also perform Security Translation for this server, and select "remove" Security translation options.
    Access token will include target user SID and migrated group SID. Target user will not be able to access resource.

    54766-11.png

    Translating Security on Your Member Servers
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc974389(v=ws.10)?redirectedfrom=MSDN

    ADMT Series – 10. Security Translation Wizard – Local Profiles
    https://blog.thesysadmins.co.uk/admt-series-10-security-translation-wizard-local-profiles.html

    **Q2:**Another scenario: This time Servers (containing resources) are in source domain only. Source Domain Local groups are appended in resource DACL. These source domain local groups have been migrated to target domain without Sidhistory and during migration group scope has been changed to "Global". These migrated global groups nested inside source domain local groups.

    If target domain users are member of migrated global group and target users login to target domain joined workstation, then what Sids will be included in access token? Will target user's Access token include both - Sid of migrated target group as well as Sid of source domain local groups? Will target user be able to access resource?

    **A2:**Access token will include target user SID and migrated group SID. Target user will not be able to access resource.

    **Q3:**In any of above mentioned scenarios, if target users will be able to access resource then how?

    **A3:**See A1 and A2.

    **Q4:**But here is the confusing part, then why and how trusted external users(trusted external domain) which are members of domain local security groups able to access resource which neither belongs to source domain nor target domain and they login to external domain joined workstation?

    **A4:**Because there is trust, the users have the permissions to access the resource. It is related to cross-forest authentication, for more information about cross-forest authentication, we can refer to the part "Simple Cross-Realm Authentication and Examples" in the link below.

    How the Kerberos Version 5 Authentication Protocol Works
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)?redirectedfrom=MSDN

    Hope information above is helpful. Ifanything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments