RE: migrate primary group setting??

Hi Chris,

Based on my research, this problem occurs because of the method that the
Active Directory Migration Tool uses to migrate users from a different
Active Directory forest. When you migrate a user from a different Active
Directory forest, the Active Directory Migration Tool does not migrate the
user object. Instead, the Active Directory Migration Tool makes a call into
an Active Directory API LDAP_MOVE function. Generally, the LDAP_MOVE
function requires that the user who you migrate is not a member of a global
group. If the user that you migrade is a member of a global group, the
global group membership breaks after the migration is complete.

However, this requirement does not apply to users who are members of the
Domain Users group. Membership in the Domain Users group is considered an
implicit membership and occurs when that user is a member of a particular
domain. You do not have to explicitly add the user to the Domain Users
group, but an attribute is assigned to that user object to indicate
membership in the Domain Users group. If you set a user's primary group to
a security group other than the Domain Users group, the following three
behaviors occur:

- The user is now an explicit member of the Domain Users group.

- The user is no longer an explicit member of the security group that you
defined as that user's new primary group.

- The user is now an implicit member of the security group that you defined
as that user's new primary group.


This problem occurs because the Active Directory Migration Tool removes a
user from all global groups except the Domain Users group before it calls
the LDAP_MOVE function. Therefore, when you try to migrate a user whose
primary group is not the Domain Users group, the migration does not
succeed.

To work around this issue, I would suggest you follow the sequence of
accounts and objects migration which have been addressed in Figure 9.8 in
the following article.

Migration of a Windows NT 4.0 Account Domain to Active Directory
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook
/cookchp9.mspx

Hope it helps.

Regards,

Ada Pan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: Windows Server 2003 Auto connect printers;
    ... The Domain Users group is a member of the build in Users, ... Yes the TS is a member server, Authenticated Users is added to the local ...
    (microsoft.public.win2000.termserv.apps)
  • Re: Can Anyone Tell Me Why?
    ... > on MSDN to perform this simple second query and if fails on trying to ... >> member by virtue of the value in the primaryGroupID of the users. ... >> Issue a second query for all users with a primaryGroupID set to point to ... >> domain users group, and you'll probably find the rest. ...
    (microsoft.public.windows.server.active_directory)
  • 550 5.7.1 Client does not have permission to send as this sender
    ... When a user (member of Domain Users group) is trying to send a message from ... the error "550 5.7.1 Client does not have permission to send as this ... SMTP message is accepted and delivered without problems. ...
    (microsoft.public.exchange.admin)
  • Re: Group limitations
    ... > member of that group by default. ... > the Domain Users group, and that group is set as their Primary Group. ... > This limitation doesn't just affect group membership. ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: GAL & distribution list question !!!
    ... can you mail enable the everyone or domain users group? ... >>I am running WK2 exchange on W2K Server along with active directory. ...
    (microsoft.public.exchange2000.admin)
Quantcast