AD Migration – Migrate Domain Local Groups

In almost every Active Directory migration project the following question comes up at one point or another:

• Are the Domain Local Groups (DLG) migrated or not?

Is it necessary to migrate Domain Local Groups to enable access to resources within the source environment?

Are Domain Local Groups transfered during an AD migration?

In the standard permission administration it is usual to follow a so called Group Nesting. A user account is member of a Global Group (GG) which is member of a DLG. The DLG is entered in the ACL of the resource, e.g. NTFS permissions on a Fileserver.

During an Active Directory migration, groups and users are transferred into another domain. Users in the target domain have the same access authorizations as in the source domain.

The question here is, whether the DLG has to be transferred into the target domain for the users to have access to the resources.

Basically, you can say that SIDs/SIDHs are removed from the Security Token by DLG in case of access via a trust. Thus, the DLG should not be necessary for accessing.

But because this cannot be read anywhere, I created the scenario in a testing environment.

TestUser1 is member of GG-TestGroup3 is member of DLG-TestGroup3

A clearance “test-share-for-dlg-migration” on a server in the source domain.

DLG-TestGroup3 has “change“ (NTFS) permissions:

 
Clearing permissions:

 
TestUser1 has been migrated into the target domain and is member of the migrated group GG-TestGroup3.

Target domain\GG-TestGroup3 is not a member of another group:

(not a member of a migrated DLG)

 
Target domain\GG-TestGroup3 has been migrated with SIDH:

Summary:

• Source domain\DLG-TestGroup3 has not been migrated
• Target domain\testuser1 does not have a SIDH
• Target domain\testuser1 is member of Source domain\GG-TestGroup3
• Target domain\GG-TestGroup3 has SIDH

Check Access

Now it’s getting exciting:

Connection of a network drive on the server in the source domain with the migrated user in the target domain…

Access is possible!

Cross check: SIDH of target domain\GG-TestGroup3 being removed:

Conclusion

As long as the resources are in the source domain, it is not necessary to migrate the DLG. As soon as they are transferred into the target domain, DLGs have to be migrated.