Domain A is old domain.  Domain B is new Domain.

Step1:check sidhistory sid.
1. On a domain controller in Domain B, run ldp.exe, click the Connection menu, click Connect, type the domainB DC name and port 389, click OK to connect to the server.

2.Click the Connection menu again and click bind, input the user name, password and domainB domain name, click OK to bind to it.

3. Click the View menu, click Tree, select the corresponding domain partition in the dropdown menun and click OK.

4.After that, in the left pane, expand the domain and locate the corresponding migrated user, double click the user and check the user properties in the right pane. Please find the sidhistory attribute to find the migrated sid.

5.In domain A, install psgetsid from the link below:
<http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx>
Then run psgetsid.exe on a DomainA DC:
psgetsid <SID>
Note: replace the sid with the one that you get from sidhistory to verify the account.
6.Then check the resource’ security and share permissions to verify that the user who present the sid in sidhistory is listed.

Step 2: Run the following command on a Domain B DC which has netdom. (netdom.exe can be installed with Support Tools which you can install from support\tools folder on Windows installation CD.)

Disabling SID Filter Quarantining on External Trusts

Although it reduces the security of your forest (and is therefore not recommended), you can disable SID filter quarantining for an external trust by using the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:

• You have an equally high level of confidence in the administrators who have physical access to domain controllers in the trusted domain and the administrators with such access in the trusting domain.
• You have a strict requirement to assign universal groups to resources in the trusting domain, even when those groups were not created in the trusted domain.
• Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant them access to resources in the trusting domain based on the SID history attribute.

Only domain administrators or enterprise administrators can modify SID filtering settings. To disable SID filter quarantining for the trusting domain, type a command using the following syntax at a command-prompt:

Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No /usero:domainadministratorAcct /passwordo:domainadminpwd

Note: For Windows 2008 /quarantine: N or Y

EX:
netdom trust DomainA /D:DomainB /UD:DomainB\Administrator /PD:* /UO:DomainA\Administrator /PO:* /Quarantine:No
note:please replace the domainA and domainb with the actual domain name. * option would mask the admin password and you would be prompted to enter DomainA admin password first & then DomainB admin password.

Allowing SID History to Traverse Forest Trusts

If users are migrated from one domain to another in different forests, you may want to allow the migrated users to access resources in their original forest using their migrated (SID history) credentials. The default SID filtering applied to forest trusts prevents user resource access requests from traversing the trusts with the credentials of the original domain. If you want to enable users to use the credentials that were migrated from their original domain, you can allow SID history to traverse forest trusts by using the Netdom command.

Only domain administrators or enterprise administrators can modify SID filtering settings. To allow SID history credentials to traverse a trust relationship between two forests, type a command using the following syntax at a command-prompt:

Netdom trustTrustingDomainName/domain:TrustedDomainName/enablesidhistory:Yes/usero:domainadministratorAcct/passwordo:domainadminpwd

Note: For Windows 2008 /enablesidhistory: N or Y

EX:
netdom trust DomainA /D:DomainB /UD:DomainB\Administrator /PD:* /UO:DomainA\Administrator /PO:* /enablesidhistory:Yes
note:please replace the domainA and domainb with the actual domain name. * option would mask the admin password and you would be prompted to enter DomainA admin password first & then DomainB admin password.

Note

• The same security considerations for removing SID filter quarantining from external trusts apply to allowing SID history to traverse forest trusts.

Additional information:
===================
For the detailed information, you may refer to the session “Disabling SID Filter Quarantining on External Trusts” and “Allowing SID History to Traverse Forest Trusts” in the following article:
http://technet.microsoft.com/en-us/library/cc755321(WS.10).aspx

Description: Windows 7/cannot connect to 2003 Printer Server

Symptom:  Windows 7 client, connect to Windows 2003 Printer Server using \\servername or using IPP will get the error messages as following:

· Issue 1:

The error message  show “access denied “, but if we add this domain user to local admin group solve the issue, it must be something related to Windows 7 print permission.

· Issue 2:

If the Printer driver use the old driver, the error message show “ windows cannot connect to the printer…”

Solution:

Issue 1:

· Set the following policy at Windows 7 clients:
============================
Computer Configuration | Administrative Templates | Printers | Point and Print Restrictions: Disabled

Use Windows XP-Level Security

You can use the Point and Print Restrictions group policy setting to provide a Windows Vista client computer with the same level of Point and Print security that it had with Windows XP.

User Experience

Users will not see any additional warning messages when they connect to a shared printer and Point and Print installs a new printer driver or when Point and Print updates the printer driver for an existing connection.

Issue 2:

· After we change the printer driver at Windows 2003 Print Server to use universal driver, client can download the appropriate driver without error.

Reference:

Begin from Windows Vista, there have more restriction at Printer management, Windows 7 will also be the same architecture, please see the following doc:

http://technet.microsoft.com/en-us/library/cc753269.aspx

The default security settings for Windows 7 and Windows Server 2008 R2 allow users who are not members of the local Administrators group to install only trustworthy printer drivers, such as those provided with Windows or in digitally signed printer-driver packages. This helps to ensure that users do not install untested or unreliable printer drivers or drivers that have been modified to contain malicious code (malware). However, it means that sometimes users cannot install the appropriate driver for a shared printer, even if the driver has been tested and approved in your environment.

Problem
=========
How to Hide "My Network Places" from Windows Explorer view

Solution
==========
You can remove “public” folder by deleting the registry key below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{4336a54d-038b-4685-ab02-99bb52d3fb8b}

To remove the user folder, you can delete the below one.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{59031a47-3f72-44a7-89c5-5595fe6b30ee}

To remove the My Network Places, you can delete the below one.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}]

PS: please take a backup of these registry keys before deleting.

在Windows XP 中，您可能在移除硬體裝置的時候遭遇到以下的錯誤訊息：

無法解除安裝裝置。裝置可能是開機必需的裝置。

這個時候，可能作業系統中和硬體裝置相對應的機碼權限不允許您刪除這個裝置。請您透過以下方式來刪除不需要的裝置：

1. 開啟裝置管理員，找到要移除的硬體裝置(我們以Msft Virtual CD/ROM為例，您可以找您要刪除的硬體)，點選滑鼠右鍵->[內容]：
   
   
2. 點選[詳細資料]標籤，找到"裝置例項識別碼"並記錄下面的資料資料：
   IDE\CDROMMSFT_……\5&56de&0&0.0.0
   
   
3. 接著開啟登錄檔編輯程式，並且找到以下位置：
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum
   並找到相對應的例項，您可以發現到上面畫面記錄下來的路徑就是在這裡機碼的相對路徑。
   
    
4. 在該項目上面點選滑鼠右鍵->[使用權限]
   
   
5. 在Everyone的權限上，點選Everyone，並且勾選"完全控制"
   
    
6. 接著將這個機碼刪除。
7. 重新開啟裝置管理員，您可以發現這個裝置已經消失。
    

當嘗試啟動Windows 的時候遇到以下的錯誤訊息：

08004FE92

這個問題發生的主要原因有幾個：

1. 使用了不正確的KMS Client Key連線到 KMS Server嘗試做啟動。
2. KMS Client Count 不足以啟動KMS Service。
3. KMS Server遭遇連線錯誤導致無法成功啟動。

遇到這個問題，可以嘗試以下的幾個做法：

• 選擇正確的KMS Client KEY：

where KmsSetupKey is one of the setup keys shown Following table. After installing the KMS setup key, activate the KMS client by running cscript slmgr.vbs /ato.

KMS Client Setup Keys

Operating System Edition	Product Key
Windows 7
Windows 7 Professional	FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
Windows 7 Professional N	MRPKT-YTG23-K7D7T-X2JMM-QY7MG
Windows 7 Enterprise	33PXH-7Y6KF-2VJC9-XBBR8-HVTHH
Windows 7 Enterprise N	YDRBP-3D83W-TY26F-D46B2-XCKRJ
Windows 7 Enterprise E	C29WB-22CC8-VJ326-GHFJW-H9DH4
Windows Server 2008 R2
Windows Server 2008 R2 HPC Edition	FKJQ8-TMCVP-FRMR7-4WR42-3JCD7
Windows Server 2008 R2 Datacenter	74YFP-3QFB3-KQT8W-PMXWJ-7M648
Windows Server 2008 R2 Enterprise	489J6-VHDMP-X63PK-3K798-CPX3Y
Windows Server 2008 R2 for Itanium-Based Systems	GT63C-RJFQ3-4GMB6-BRFB9-CB83V
Windows Server 2008 R2 Standard	YC6KT-GKW9T-YTKYR-T4X34-R7VHC
Windows Web Server 2008 R2	6TPJF-RBVHG-WBW2R-86QPH-6RTM4

Converting Retail Editions to Volume Activation

Retail editions of Windows 7 Professional and Windows Server 2008 R2 can be converted to KMS clients, provided that the organization has acquired the appropriate volume licenses and conforms to the Product Use Rights. To convert Windows 7 Professional and all editions of Windows Server 2008 R2 from retail to a KMS client, skip the Product Key page during operating system installation. When installation is complete, open an elevated Command Prompt window and type:

Slmgr.vbs /ipk <SetupKey>

where SetupKey is the KMS client setup key from Table 4 that corresponds to the edition of Windows 7 or Windows Server 2008 R2.

• 請確認啟動Count一定要足夠，Server SKU 需要最少5個Count才能啟動，Client SKU需要最少25個Count才能啟動。
• KMS Server本身可以連上Internet 服務。