Specifies how Active Directory Migration Tool handles the security translation process. These fields are defined as follows:
Replace
Replaces the security ID (SID) for the account in the source domain with the SID for the account in the target domain in the access control lists (ACLs) and system access control lists (SACLs) in the security descriptors of the selected objects. This option gives the account in the target domain the same permissions on the selected objects as the account in the source domain. This option also removes these permissions from the account in the source domain.
When performing an intraforest migration, SID History is migrated and the source object is deleted. So, when performing an intraforest migration, Active Directory Migration Tool only allows security translation in Replace mode.
Add
Adds the SID for the account in the target domain to the ACLs and SACLs in the security descriptors of the selected objects that contain the SID for the account in the source domain. This option gives the account in the target domain the same permissions to the selected objects as the account in the source domain.
Windows 2000 only recognizes the first 30 entries in registry key ACLs. If security translation is performed in Add mode, then more than 30 entries can exist at the end of the process. The large number of access control entries (ACEs) on certain registry keys might result in users being locked out of the affected system.
To prevent this problem, if the wizard encounters an ACL with more than 15 ACEs while running in Add mode, then the registry keys will be skipped by the system registry security translation process. This will not occur if the security translation is run in Replace or Remove mode. This is not a problem is the customer has not manually changed any registry key ACEs on the affected systems.
Remove
Removes the SID for the account in the source domain from the ACLs and SACLs in the security descriptors of the selected objects. This option removes the permissions to the selected objects from the account in the source domain.
For more information, see Security identifier (SID) translation.