This is a general post not seeking a technical resolution to a precise problem. I just want to warn industry colleagues. My career focus has been on AD for 20 years. The precise niche I concentrate on is Migrations and Consolidation projects. I currently work at an organization where I'm migrating 4 domains into one larger one. We've had no end of issues. I've been dealing with a host of challenges for 6 straight months. I've never seen anything like this before.
It seems that in 2021, the tried and trusted (15 year old methods) for migrating from one domain to another are failing at the user profile migration (translation) stage. If you are familiar with tools such as ADMT or Quest Migration Manager for AD, you will be familiar with the security translation wizard/agent whose job is to scour through each ACL on each and every file/folder to ensure that the TARGET domain security principal is added and given identical permissions to the SOURCE domain security principal. Well, it seems that in the latest Windows 10 release (and probably several before that), there are files/folders that the security translation tool is simply not able to modify the security for. These are mainly related to Office365 Apps profile folders. The result is your users end up with profiles that either half translated or completely corrupted. Office 365 apps do not launch correctly meaning you have to reconfigure every single Office app for all impacted users. Something you want to avoid if you have thousands to migrate.
In addition to all of this, TPM (Trust Platform Module), your onprem identity and your cloud identity combine together to create a security layer that cannot be security translated by the traditional migration tools. Basically, they lock out any other user account from accessing your O365 apps profile data even if that account has full rights to the profile\AppData folders.
It's not 100% consistent, but over 500 profile migrations I have seen it 75-80% of the time (could be build/Office app specific). The only way out of this situation is to give users a brand new profile. So folks, next time you perform a domain migration with profile security translation and something is going wrong, it's not just you! Hundreds of people are reporting this issue with no clear direction from Microsoft. Quest are blaming "environmental" issues. I think Microsoft's New Age Developers have lost all concept of domain migrations. They are building security models without any thought towards keeping the user profile "portable". A user profile has always been something you can assign to a new user account, but not anymore?
A point of note also is that MS ADMT does not officially support Windows 10 or Windows Server 2016/2019 for that matter.
