RE: Local groups migration

Hi,

First, FSMT does not migrate the Domain Local Groups to the local SAM of
member servers. Because the SIDs do not map to valid accounts within the
local SAM database of the member server the users are denied access. This
is most apparent when you open object picker from a resource on the member
server and you find you are not able to enumerate Domain Local Groups in
the list.

To achieve your purpose,

1. we used Addusers.exe from the Windows NT 4.0 or Windows 2000
Resource Kit in order to dump all groups and their membership to a text
file. The
syntax used to extract this is:

addusers /d c:\SIDMapping.txt <domainname>

2. Once the groups were dumped to a text file we created a SID Mapping file
using
just the [LOCAL] section of the SIDMapping.txt file. The SID Mapping file
uses a
1:1 mapping of Domain Local Group friendly names on the right, its Global
Group
member on the right, separated by a comma.

3. We edited the SIDMapping.txt file and added <theirdomainname\> in front
of all
the Domain Local Groups.

4. In cases where the Domain Local Group had more than one Global Group as
its
member, we copied the Domain Local Group to the next line down and added
another
Global Group until all Global Groups belonging to a Domain local Group had
a 1:1
mapping with the Domain Local Group.

For example: Domain Local Group has these Global Groups as members; Global
Group1,
Global Group2, Global Group3. The SIDMapping.txt file should look like
this:

Domain\Domain Local Group,Domain\Global Group1
Domain\Domain Local Group,Domain\Global Group2
Domain\Domain Local Group,Domain\Global Group3

5. We installed ADMTv2 on the W2K3 member server holding the migrated data
and ran
the Security Translation Wizard.
NOTE: No domain migration ever occurred, no protar.mdb existed, it does not
matter
if Active Directory exists or not.

a. Open migrator.msc
b. right-click the top node and select "Security Translation Wizard"
c. Select "Migrate now", Next.
d. Select "Other objects specified in a file" and Browse to the
SIDMapping.txt
file.
e. click Add and enter the hostname of the server where the migrated
data
resides and click OK
f. on the Translate Objects window place a check next to the object
type you
want to translate ACLs for and click Next.
g. select the "Add" radio button. This will Edit the ACL giving the
Global
Group permissions that match that of the Domain Local Group.
h. Proceed with the Translation.

NOTE: Cleanup of the ACLs can be done at a later time by running
Security
Translation again with the Remove option against a list of Domain Local
Groups.

Hope it helps.

Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
>>Date: Thu, 24 Nov 2005 08:40:07 +0100
>>From: Ivan <garbage@xxxxxxxxxxxxxxx>
>>User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
>>X-Accept-Language: en-us, en
>>MIME-Version: 1.0
>>Newsgroups: microsoft.public.windows.server.migration
>>Subject: Local groups migration
>>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>Content-Transfer-Encoding: 7bit
>>X-Antivirus: avast! (VPS 0547-2, 23/11/2005), Outbound message
>>X-Antivirus-Status: Clean
>>Lines: 33
>>Message-ID: <43856e4b$0$20860$636a55ce@xxxxxxxxxxxx>
>>Organization: Guest of ProXad - France
>>NNTP-Posting-Date: 24 Nov 2005 08:39:55 MET
>>NNTP-Posting-Host: 82.228.62.50
>>X-Trace: 1132817995 nnrp5-1.free.fr 20860 82.228.62.50:2231
>>X-Complaints-To: abuse@xxxxxxxxxx
>>Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!fr.ip.ndsoftware.net!proxad.net!infeed-4.proxad.net!nnrp5-1.free.fr!no
t-for-mail
>>Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.windows.server.migration:21445
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>Hi,
>>
>>Microsoft Help suggests looking for an answer to my problem in the news
>>so here I am.
>>
>>I have a file server migration to do.
>>Source server is NT4 with local groups
>>Destination server in another server with W2K3
>>
>>The File Server Migration Toolkit doesn't migrate local groups, or so it
>>says.
>>
>>Since I want to robocopy the files from source server to destination
>>server, keeping ACLs, I want to migrate the local groups from one server
>>to the other.
>>
>>How do you do that?
>>
>>Sorry, I didn't find an answer using free tools on the Internet, nor
>>with the microsoft website.
>>
>>Are there tools? Since both servers are in the same domain , I can't
>>seem to be able to use the AD Migration Toolkit.
>>
>>Moreover, I don't have rights to modify the AD, since it's another
>>company that reigns over it, and that won't provide any help in due time.
>>
>>Thanks in advance.
>>
>>PS : I won't be able to respond before another 12h. I can't read the
>>newsgroups at work, and I gotta go now.
>>
>>Ivan
>>

.

Loading