Resolution for events 111 and 1085 and no folder redirection
dbdodson2000_at_yahoo.com
Date: 01/12/05
- Next message: Khimji: "RE: Easiest way of removing access permissions from folders?"
- Previous message: Rebecca Chen [MSFT]: "RE: Can not start Net Logon at NT4 BDC after upgrade to 2003 domain"
- Messages sorted by: [ date ] [ thread ]
Date: 12 Jan 2005 05:18:43 -0800
I recently went through an issue when migrating user accounts from one
domain to another and thought the information I gathered may be useful
to others.
Here is the configuration:
Old Domain: Windows 2000 based, users with roaming profiles which are
re-directed into shared folders
New Domain: Windows 2003 based, users with roaming profiles which are
re-directed into shared folders
Basically, I used the Active Directory Migration Tool to migrate the
user's accounts from the old domain to the new domain. During the
migration process, I did NOT select the option to migrate the SID
histories. Once the accounts were migrated, I transferred the user
profiles from the shared folders in the old domain to the shared
folders in the new domain. I then reset permissions on the profile
folders so that the new domain accounts could access their respective
profile folder.
My first login to a terminal server member server in the new domain
resulted in events 111 and 1085 being logged in the terminal server
application log. This means that folder redirection failed because
"The Group Policy client-side extension Folder Redirection failed to
execute". The user was given a default profile instead of their old
profile. If I made the user a Domain Admin, they could login and
folder redirection would work without issue. However, making everyone
a Domain Admin was not an acceptable answer (obviously).
I re-migrated everybody's accounts using ADMT and this time selected
the option to migrate SID histories. This time I could login to the
terminal server and folder redirection worked without issue.
After researching this issue via several newsgroup postings, I figured
out what the problem with the original migration was. Since I was
using roaming profiles to redirected folders and the HKEY_CURRENT_USER
hive is populated from each accounts NTUSER.DAT file at login, the SID
from the original domain was used in the ACL for the HKEY_CURRENT_USER
hive. Since this SID was not recognized in the new domain, the user
who was logging in did not have permissions to access the
HKEY_CURRENT_USER hive. Making them a Domain Admin worked since Domain
Admins have permissions to the HKEY_CURRENT_USER hive. Migrating SID
histories worked because their SID from the old domain would be
recognized in the new domain.
I fixed this problem without migrating SID histories for one account by
temporarily making the user a Domain Admin. I then logged in as that
user and ran regedit. I removed their previous SID from the ACL of
HKEY_CURRENT_USERS, added their new account and gave them Full Control
permissions. I also selected the option to propagate this change to
all child keys. I logged off, removed them from Domain Admins and
logged back in. Everything worked fine.
I hope this may help some people that have run into this issue or
something related to it.
- Doug -
- Next message: Khimji: "RE: Easiest way of removing access permissions from folders?"
- Previous message: Rebecca Chen [MSFT]: "RE: Can not start Net Logon at NT4 BDC after upgrade to 2003 domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
