Re: question on using migration tool and user groups

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi,

FSMT does not migrate the Domain Local Groups to the local SAM of member
servers. Because the SIDs do not map to valid accounts within the local SAM
database of the member server the users are denied access. This is most
apparent when you open object picker from a resource on the member server
and you find you are not able to enumerate Domain Local Groups in the list.

Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
>>From: "gary" <garym_jacksonfurniture_dontspamme_@xxxxxxxxxxx>
>>References: <unKxG8U6FHA.2036@xxxxxxxxxxxxxxxxxxxx>
<i#Jmq1Y6FHA.3892@xxxxxxxxxxxxxxxxxxxxx>
>>Subject: Re: question on using migration tool and user groups
>>Date: Tue, 15 Nov 2005 16:43:04 -0500
>>Lines: 134
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>X-RFC2646: Format=Flowed; Original
>>Message-ID: <eiHpV1i6FHA.3544@xxxxxxxxxxxxxxxxxxxx>
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: 68-114-160-34.dhcp.kgpt.tn.charter.com 68.114.160.34
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.windows.server.migration:21319
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>but I thought the point of the migration too was that you didnt have to
do
>>all that?
>>
>>If the windows 2003 server is on the domain, why does it not recognize
the
>>group, but it does recognize individual users?
>>
>>gary
>>
>>
>>
>>
>>"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>news:i%23Jmq1Y6FHA.3892@xxxxxxxxxxxxxxxxxxxxxxxx
>>> Hi Gary,
>>>
>>> 1. To correct this we used Addusers.exe from the Windows 2000 Resource
Kit
>>> in order to dump all groups and their membership to a text file. The
>>> syntax used to extract this is:
>>>
>>> addusers /d c:\SIDMapping.txt <domainname>
>>>
>>> 2. Once the groups were dumped to a text file we created a SID Mapping
>>> file
>>> using
>>> just the [LOCAL] section of the SIDMapping.txt file. The SID Mapping
file
>>> uses a
>>> 1:1 mapping of Domain Local Group friendly names on the right, its
Global
>>> Group
>>> member on the right, separated by a comma.
>>>
>>> 3. We edited the SIDMapping.txt file and added <theirdomainname\> in
front
>>> of all
>>> the Domain Local Groups.
>>>
>>> 4. In cases where the Domain Local Group had more than one Global Group
as
>>> its
>>> member, we copied the Domain Local Group to the next line down and added
>>> another
>>> Global Group until all Global Groups belonging to a Domain local Group
had
>>> a 1:1
>>> mapping with the Domain Local Group.
>>>
>>> For example: Domain Local Group has these Global Groups as members;
Global
>>> Group1,
>>> Global Group2, Global Group3. The SIDMapping.txt file should look like
>>> this:
>>>
>>> Domain\Domain Local Group,Domain\Global Group1
>>> Domain\Domain Local Group,Domain\Global Group2
>>> Domain\Domain Local Group,Domain\Global Group3
>>>
>>> 5. We installed ADMTv2 on the W2K3 member server holding the migrated
data
>>> and ran
>>> the Security Translation Wizard.
>>> NOTE: No domain migration ever occurred, no protar.mdb existed, it does
>>> not
>>> matter if Active Directory exists or not.
>>>
>>> a. Open migrator.msc
>>> b. right-click the top node and select "Security Translation Wizard"
>>> c. Select "Migrate now", Next.
>>> d. Select "Other objects specified in a file" and Browse to the
>>> SIDMapping.txt
>>> file.
>>> e. click Add and enter the hostname of the server where the migrated
>>> data
>>> resides and click OK
>>> f. on the Translate Objects window place a check next to the object
>>> type you
>>> want to translate ACLs for and click Next.
>>> g. select the "Add" radio button. This will Edit the ACL giving the
>>> Global
>>> Group permissions that match that of the Domain Local Group.
>>> h. Proceed with the Translation.
>>>
>>> NOTE: Cleanup of the ACLs can be done at a later time by running
>>> Security Translation again with the Remove option against a list of
Domain
>>> Local Groups.
>>>
>>> btw, I found that this issue often happens in a mix mode domain, does
this
>>> fit your enviroment?
>>>
>>> Hope it helps.
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>>
>>>
>>> --------------------
>>>>>From: "gary" <garym_jacksonfurniture_dontspamme_@xxxxxxxxxxx>
>>>>>Subject: question on using migration tool and user groups
>>>>>Date: Mon, 14 Nov 2005 14:11:44 -0500
>>>>>Lines: 20
>>>>>X-Priority: 3
>>>>>X-MSMail-Priority: Normal
>>>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>>>>X-RFC2646: Format=Flowed; Original
>>>>>Message-ID: <unKxG8U6FHA.2036@xxxxxxxxxxxxxxxxxxxx>
>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>NNTP-Posting-Host: 68-114-160-34.dhcp.kgpt.tn.charter.com 68.114.160.34
>>>>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
>>>>>Xref: TK2MSFTNGXA02.phx.gbl
>>> microsoft.public.windows.server.migration:21291
>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>
>>>>>I used the migration tool to move folders from our windows 2000 file
>>> server
>>>>>to the windows 2003 file server.
>>>>>
>>>>>everything went fine, except for folders that were assigned to groups.
>>>>>
>>>>>I have a folder for our salesmen, and rather than assing individual
>>> rights
>>>>>to the folder, I created a salesman group, gave it full rights to the
>>>>>folder, and then add users to that group.
>>>>>
>>>>>after I used the migration tool to move the folder to the 2003 server I
>>>>>found that it did not seem to recognize the group, I had to go in and
add
>>>>>each user individually.
>>>>>
>>>>>Now the 2003 server is just a member server, but that shouldnt matter,
so
>>>>>what is happening here?
>>>>>
>>>>>I have several other folders the same way, and just want to have this
>>>>>figured out before I move any more.
>>>>>
>>>>>
>>>>>
>>>
>>
>>
>>

.

Quantcast