RE: question on using migration tool and user groups

Hi Gary,

1. To correct this we used Addusers.exe from the Windows 2000 Resource Kit
in order to dump all groups and their membership to a text file. The
syntax used to extract this is:

addusers /d c:\SIDMapping.txt <domainname>

2. Once the groups were dumped to a text file we created a SID Mapping file
using
just the [LOCAL] section of the SIDMapping.txt file. The SID Mapping file
uses a
1:1 mapping of Domain Local Group friendly names on the right, its Global
Group
member on the right, separated by a comma.

3. We edited the SIDMapping.txt file and added <theirdomainname\> in front
of all
the Domain Local Groups.

4. In cases where the Domain Local Group had more than one Global Group as
its
member, we copied the Domain Local Group to the next line down and added
another
Global Group until all Global Groups belonging to a Domain local Group had
a 1:1
mapping with the Domain Local Group.

For example: Domain Local Group has these Global Groups as members; Global
Group1,
Global Group2, Global Group3. The SIDMapping.txt file should look like
this:

Domain\Domain Local Group,Domain\Global Group1
Domain\Domain Local Group,Domain\Global Group2
Domain\Domain Local Group,Domain\Global Group3

5. We installed ADMTv2 on the W2K3 member server holding the migrated data
and ran
the Security Translation Wizard.
NOTE: No domain migration ever occurred, no protar.mdb existed, it does not
matter if Active Directory exists or not.

a. Open migrator.msc
b. right-click the top node and select "Security Translation Wizard"
c. Select "Migrate now", Next.
d. Select "Other objects specified in a file" and Browse to the
SIDMapping.txt
file.
e. click Add and enter the hostname of the server where the migrated
data
resides and click OK
f. on the Translate Objects window place a check next to the object
type you
want to translate ACLs for and click Next.
g. select the "Add" radio button. This will Edit the ACL giving the
Global
Group permissions that match that of the Domain Local Group.
h. Proceed with the Translation.

NOTE: Cleanup of the ACLs can be done at a later time by running
Security Translation again with the Remove option against a list of Domain
Local Groups.

btw, I found that this issue often happens in a mix mode domain, does this
fit your enviroment?

Hope it helps.

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security


--------------------
>>From: "gary" <garym_jacksonfurniture_dontspamme_@xxxxxxxxxxx>
>>Subject: question on using migration tool and user groups
>>Date: Mon, 14 Nov 2005 14:11:44 -0500
>>Lines: 20
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>X-RFC2646: Format=Flowed; Original
>>Message-ID: <unKxG8U6FHA.2036@xxxxxxxxxxxxxxxxxxxx>
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: 68-114-160-34.dhcp.kgpt.tn.charter.com 68.114.160.34
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.windows.server.migration:21291
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>I used the migration tool to move folders from our windows 2000 file
server
>>to the windows 2003 file server.
>>
>>everything went fine, except for folders that were assigned to groups.
>>
>>I have a folder for our salesmen, and rather than assing individual
rights
>>to the folder, I created a salesman group, gave it full rights to the
>>folder, and then add users to that group.
>>
>>after I used the migration tool to move the folder to the 2003 server I
>>found that it did not seem to recognize the group, I had to go in and add
>>each user individually.
>>
>>Now the 2003 server is just a member server, but that shouldnt matter, so
>>what is happening here?
>>
>>I have several other folders the same way, and just want to have this
>>figured out before I move any more.
>>
>>
>>

.

Loading