Domain migration headaches

  • We are migrating users from DomainA to DomainB

    I have a lot of permissions that are based on Windows security groups.  For example, edit permissions on the Payroll database are granted to the DomainA\Payroll group.

    For a variety of reasons, the users are being migrated one at a time.  This means that some of the users will be in DomainA\Payroll and some in DomainB\Payroll.  But I can't add DomainB\Payroll as a login unless I have removed DomainA\Payroll (unless I'm missing something).

    I suggested that we add DomainB\PayrollUserA to the DomainA\Payroll group, but that didn't work.

    So what I am left with is creating a Role within the database to hold the DomainB users until the entire group is migrated.  At that point I will drop the DomainA group, add the DomainB group, set permissions and then drop the role.  Some of our departments have high turnover, which is why I don't just use database roles to begin with.

    This promises to be a major pain in the keister as we migrate ~100 users, so I've come around here looking for suggestions.

    Thanks!

  • Would it be possible to set up a trust between the two domains to help with the migration?

  • A trust already exists, but our systems team has been unable to find a tool that will quickly and accurately migrate the users' (roaming) profiles

     

  • We're also migrating to a new domain one person at a time.  We've found that you can add a login to SQL Server for the Windows group in the new domain without first dropping the login for the existing group. 

    What we've done is:

    1. script out all the permissions for the DomainA login

    2. drop the existing login and it's associated database users

    3. create the new DomainB login

    4. use the permissions script to create database users and grant identical   permissions for the DomainB user

    5. re-create the DomainA login and use the script to re-create database users (with a new name) and grant permissions for the DomainA user

    So, we end up with two logins in SQL Server. When a persion is moved from one domain to the other, they still have their permissions in SQL Server.  When everyone has been moved, we'll drop the DomainA login and it's datbase users.

    Greg

    Greg

  • If I am following - you are running into the problem that the domain is stripped off the server login when the user is created for the database.  This can be dealt with better from T-SQL, but you end up with two users in the database, not one connected to two logins (which is what Greg was suggesting).

    Another option would be to create a local user group on your SQL server and add both domain user groups to the local one.  Then you can add the single local user group to the SQL server.

     

  • I wasn't really suggesting having a database user mapped to two logins.  In fact, that's impossible.  We actually drop the old login and all of it's associated database users before we create the new login and users from the scripts.

    Greg

    Greg

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply