Security Translation Options

Specifies how Active Directory Migration Tool handles the security translation process. These fields are defined as follows:

Replace

Replaces the security ID (SID) for the account in the source domain with the SID for the account in the target domain in the access control lists (ACLs) and system access control lists (SACLs) in the security descriptors of the selected objects. This option gives the account in the target domain the same permissions on the selected objects as the account in the source domain. This option also removes these permissions from the account in the source domain.

When performing an intraforest migration, SID History is migrated and the source object is deleted. So, when performing an intraforest migration, Active Directory Migration Tool only allows security translation in Replace mode.

Add

Adds the SID for the account in the target domain to the ACLs and SACLs in the security descriptors of the selected objects that contain the SID for the account in the source domain. This option gives the account in the target domain the same permissions to the selected objects as the account in the source domain.

Remove

Removes the SID for the account in the source domain from the ACLs and SACLs in the security descriptors of the selected objects. This option removes the permissions to the selected objects from the account in the source domain.

For more information, see Security identifier (SID) translation.