Re: Home Directory Re-Permissions and Reset Profile
- From: "dave313" <dave313@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 14 Apr 2005 04:08:55 -0700
Well, MS is telling us they cannot guarantee any future Service Packs or OSs
will have the "fix" for single lable domains, and said there could be issues
with Exchange 2003 if it isnt compliant. So, since we are so huge (over
100,000 workstations world wide), we decided we better take our medicine now
and fix it.
Thanks for the info. The SIDs should not be an issue as with the Quest
software we the the SID filtering disabled, so they "old" user SIDs will
resolve and reside for a short while (through the migration) with the "new"
user SID. Then the product has a built in SID History Cleanup module to run
once all the way done with all sites.
Luckily again, we are not doing quotas.
Good safety tip on the XCALCS limits. I will look more into that but I think
since we are breaking it down site by site over a number of weeks, I hope
this won't be a big issue.
Thanks for the insight!!
"Gerry Hickman" wrote:
> Hi,
>
> We also run a single label domain with Win2k SP4, are you saying we'll
> have to change this if we want to run Exchange 2003?
>
> Anyway, regarding the home folders, the main problem I can see, is that
> you could end up with hundreds of thousands of broken SIDs if you're not
> careful. Adding new accounts is easy, but getting rid of the old ones is
> not (after you've moved) because they will not be resolvable.
>
> If you don't care about existing permissions, and it sounds like you
> don't, then consider zapping ALL ACLs from all home directories except
> for Everyone:F (or whatever) before the move, then just create new
> permission trees as needed. Bear in mind the users won't "own" their
> home directories if you do it this way, and this could lead to problems
> with:
>
> 1. Folder Redirection (not confirmed)
> 2. Quotas (if you are planning to use them)
>
> One other thing to look out for is that many of these tools will crash
> after the x-thousandth ACL change, and you'll have to zap all and then
> start all over again. One solution to this is to do it on a folder by
> folder basis, that way if it crashes, you only have to worry about one
> folder being messed up, and that's easy to fix.
>
> dave313 wrote:
>
> > Unfortuantely, logic has nothing to do with this. We must move to a new
> > forest due to have a single lable domain for the last 5 years to support
> > Exchange 2003 (and get compliant with Post-2000 SP4 world). So we are
> > migrating to a new forest and domains which in turns creates new accoutns for
> > all usres when they are migrated using a tool called the Quest AD Migration
> > Manager.
> >
> > Under normal circumstances the tool would take care of moving the user and
> > repermissioning all the directories, but due to the extremem cost we couldn't
> > buy it for all of our users so our seasonal user accounts are not covered.
> > We have to find a manual way to now assign the newly created domain account
> > to their original folder that is now on a server in the new domain. These
> > are about 15,000 accounts.
> >
> > Maybe the XCALCS will be the best way to go. The more I think about it that
> > likely is the best way, as the server name the home folders exist on is not
> > changing, just its domain, so the path in the home folder profile will not
> > technically change as only the server name is called in the UNC, not the
> > domain. Will have to see if the process we are using to copy the accounts
> > over is already snagging that home folder setting, and if not make sure it
> > is. This may not be as hard as we thought.
> >
> >
> > "Gerry Hickman" wrote:
> >
> >
> >>Hi dave313,
> >>
> >>I'm not sure what you mean. Are you saying some of these users will have
> >>TOTALLY new accounts created (but with the same FirstName/LastName as
> >>before). If so, they'll have new SIDs?? I don't see the logic to this...
> >>
> >>You can change the home drive mapping in AD using ADSI, and you can set
> >>permissions using CACLS, XCACLS.EXE or XCACLS.VBS or WMI or Win32 and
> >>C++ depending on your need.
> >>
> >>
> >>>We are in the mist of doing a forest migration using some software to assits.
> >>> Howerver, due to budget limitations many of our accounts will not be able to
> >>>be moved. We will be doing another process to move the accounts, however we
> >>>wanted to try to use a script that woudl reset the users home directory path
> >>>profile, and re-permissions the actual directory (that will still exist once
> >>>moved), so their new account in the new domain has access back to this
> >>>directory.
> >>>
> >>>Has anyone already developed a script that does this?
> >>>
> >>>Thanks for your help!!
> >>>
> >>
> >>
> >>--
> >>Gerry Hickman (London UK)
> >>
>
>
> --
> Gerry Hickman (London UK)
>
.
- Follow-Ups:
- Re: Home Directory Re-Permissions and Reset Profile
- From: Gerry Hickman
- Re: Home Directory Re-Permissions and Reset Profile
- References:
- Home Directory Re-Permissions and Reset Profile
- From: dave313
- Re: Home Directory Re-Permissions and Reset Profile
- From: Gerry Hickman
- Re: Home Directory Re-Permissions and Reset Profile
- From: dave313
- Re: Home Directory Re-Permissions and Reset Profile
- From: Gerry Hickman
- Home Directory Re-Permissions and Reset Profile
- Prev by Date: Loading software
- Next by Date: Re: Use WMI to create Scheduled Task to run at the next logon
- Previous by thread: Re: Home Directory Re-Permissions and Reset Profile
- Next by thread: Re: Home Directory Re-Permissions and Reset Profile
- Index(es):
Relevant Pages
|
