BACKGROUND:

• Users migrated to new domain with the SID value of their old domain user account added to the SID History property on their new domain user account
• Old domain still in use as file servers haven't migrated to new domain
• Old domain user accounts still exist to provision access to old domain file servers
• New domain and old domain user accounts are both enabled

GOAL:

Determine if disabling the old domain user accounts will cause the new domain accounts to be unable to access the old domain file servers.

THOUGHTS:

From TechNet article: "When a user logs on and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user  the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client and are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token, including one of the SIDs in SID-History, can allow or deny the user access."

QUESTION:

If the old domain user account is disabled, will this disallow access to the group memberships of the disabled old domain user account and thereby make it so the new domain user account can't access resources on the old domain file servers?

Hi ChrisAN82,

Thanks for your post.

As far as I know, even you have enabled SID History, for access to target domain file from source domain. You still need the related permission.

And as long as the user that you would like him/her to have access to your resources has an SID that is granted access to your resources or belongs to a group that has an SID that is granted access to your resources then the user would be able to access.

You could also refer to the article.

ADMT Series 3. SID History

https://blog.thesysadmins.co.uk/admt-series-3-sid-history.html

Best Regards,

Mary Dong