RE: Migrating Group Policy
- From: M. Helmy <MHelmy@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 7 Mar 2007 04:01:34 -0800
Hi WendyE,
So I think you must run Security Translation on the Terminal Service Server
so as to translate the permissions on the Terminal Service to be the new
migrated group instead of the old group.
You can check the group domain in the TS permissions (it must be
NewDomain\TSUsers instead of OldDomain\TSUsers)
Regards,
"WendyE" wrote:
Hi,.
Yes all the TSUsers are migrated. They are all a member of a TS Group
(whcihs has also been migrated) which has log on permissions to the TS. They
are also located in a TSUsers OU which has the GPO linked. SID History has
also been migrated.
Regards,
Wendy
"M. Helmy" wrote:
Hi WendyE,
are all the TSUsers migrated to the new domain or not? if YES then do you
restrict the Terminal Service permissions using NT group or user individual
permission? if you are using a group, did you migrate this group or not?
finally you must check if you are enabling the SID History between the source
and target doamin or not?
Regards,
"WendyE" wrote:
Hello, Sorry if this sounds confusing... but here goes! I'm in the middle of
testing migrating users, computers & member servers from 2 existing domains
(W2k & W2003), into one new one. It's a single forest, single domain, using
OU's to delegate administration & apply group policy. The target DC is a W23K
server &the domain level is W2K Native level. I'm using ADMTv3 to do the
migrations. So far in my testing, all users, workstations & member servers
have migrated well, and the users are able to log on and access resources.
My issue is with Terminal Servers. I have a locked down GPO that restricts
what TS users can & can't do. The Terminal Server has been migrated and is
in the new domain. I have used Group Policy Management tool to "copy" the
existing TSUsers group policy from the old domain to the new one. After
giving myself the relevant permissions I am able to go in and Edit the policy
to ensure all the settings are correct. However, when I try to log on as one
of the TSUsers, the policy just isn't being recognised. I am able to run
GPRESULT when logged on as the user and that's showing that the user isn't a
member of any security groups (which isn't true) and no record of the TSUser
Group Policy. In the computer section of GPRESULT, it lists Group Policies
from the old domain... and it goes onto say that the policy was last applied
from.... the old domain domain controller. I found a registry entry where
the Group Policy History listed the old domain controller, so I edited that
(after backing up of course!) to point to the new domain controller, and
although that is now mentioned in the GPRESULT, it just doesn't seem to be
picking up the policies from the new domain.
I have also tried creating a brand new policy in the new domain, and that
also isn't being picked up. I've run SECEDIT on the Terminal Server to force
updates, but that doesn't make any difference.
Any ideas????
Thanks.
Wendy
- Prev by Date: Re: gpo innacessible
- Next by Date: Re: Upgrading to Windows 2003 native mode
- Previous by thread: Re: Migrating Group Policy
- Next by thread: which DC auhenticates user logon
- Index(es):
Relevant Pages
|
