How access is granted by domain local groups

Question

@Daisy Zhou

@Fan Fan

Let me put my question in simple words.

1. During a normal migration, The source file system resource is secured by two Domain Local Groups, Source\Resource-Read (sid 1-1) and Source\Resource-Write (sid 1-2). Source\Resource-Read (sid 1-2) has a member Source\Bob (sid 1-3) and Source\Carol (sid 1-4). Source\Resource-Write (sid 1-2) has two members Source\Ted (sid 1-5) and Source\Alice (sid 1-6). Next you migrate these 6 source objects to the target, without sid history. Target\Resource-Read (sid 2-1) and Target\Resource-Write (sid 2-2) . Target\Resource-Read (sid 2-1) has a member Target\Bob (sid 2-3) and Target\Carol (sid 2-4). Target\Resource-Write (Sid-2-2) has two members Target\Ted (sid 2-5) and Target\Alice (sid 2-6).
   2. Since we did not migrate sidhistory, the target users and target groups(Domain Local) do not have access to the source file system resource. What change would we make to allow these target users to have access to the source file system resource? Answers, Add Target\Bob (sid 2-3) and Target\Carol (sid 2-4) to Source\Resource-Read (sid 1-2) and add Target\Ted (sid 2-5) and Target\Alice (sid 2-6) to Target\Resource-Write (Sid-2-2).

It means target users are now members of both migrated target domain local group and source domain local group.

So my question is how access is granted by adding target users to source domain local groups as per above mentioned scenario? According to Microsoft and Quest articles, If target user login to target domain joined workstation, then in his access token will only include target domain local group not source domain local group. Apart from that, target domain local group SID will not cross trust boundary while attempting to source domain resource. So how access is granted in above mentioned scenario?

logging-on-user-account-fails

considerations-when-migrating-local-groups-with-sid-history

Why workstation criteria for domain local group is not applied here as per above mentioned support articles? Kindly answer specific to above mentioned query and provide explanation.

Answer 1

Hello @G-ONE ,

Thank you for posting here.

So my question is how access is granted by adding target users to source domain local groups as per above mentioned scenario? According to Microsoft and Quest articles, If target user login to target domain joined workstation, then in his access token will only include target domain local group not source domain local group.

Because the group with target user has permissions, when the target user access the resource file system resource, they create the session.

For example:

I have two trusts：
a.local, user named u1 and group named g1 (domain local group), domain-joined PC1.
b.local, user named u2 and group named g2(domain local group), domain-joined PC2, shared folder on DC in domain b.local.
u1 is in g2 and u2 is in g1.

g2 has permissions on shared folder in domain b.local.

when u1 logs on PC1, and u1 can access the shared folder.

On server with shared folder, I can see the session.

And below information.

Best Regards,
Daisy Zhou