Windows Server

sby · Guest

Hi

I am migtrating a win2k domain over to a win2k3 domain and have come across
a problem. In a transitional period I want to migrate the users over to the
new domain and leave the data in the old one. Everything is fine except I
have a problem with the login scripts.

I have a login script that I am testing which is a VBS file. All this file
does is map a drive from the win2k domain. the file is in the sysvol on the
win2k3 DC.It is set to run on startup through a GPO. When a domain user in
the win2k3 domain logs on is comes up with an access denied, but when I make
the same account Domain admins it works perfectly, so this to me suggests a
rights problem, but I don't know where.

Can anybody help or suggest a different way of doing this.

Thanks

SBY

Frances [MSFT] · Guest

Hi,

According to your description, I suggest you follow the steps below to
narrow down the problem.

Step 1:
==========
What is the result if you manually map the driver on the client machine?

Step 2:
==========
Use UNC, such as \\192.168.0.1 in Run box to access the shares in the
win2k domain.
Note: 192.168.0.1 is the file server's IP address.

If the same error occurs when you visit the shares by using UNC, please
help me gather the following information:

Question 1:
==============
Do you keep the SID history when migrating users and groups?
Generally, we will keep the SID history to access resources in the old
domain.

Question 2:
===============
Are the permissions on the shares in Win2k domain granted to users or
groups?
If you grant a group, which has the user accounts, the permission to access
the resource, after you migrate the user to the new domain, they are not
part of the old group, so they lost the permission to access the resource.
Please check the share permission and NTFS permission of the resource and
let me know if you grant the permission to the user directly.

If this is the issue, we need to re-ACL the resources.

This information is necessary for us to troubleshoot the issue.

I look forward for your reply.

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

sby · Guest

"Frances [MSFT]" wrote:

Frances [MSFT] · Guest

Hello SBY,

According to your description, I believe it is probably a problem with the
subinacl cmd.

If the ACLs have not been changed, it is obvious that the domain user
cannot access the resources in the Win 2000 domain. No matter what steps
you take, you will always get "Access denied". The reason why the domain
admin can access the resources is probably due to some group nesting which
grant the admin group the permission.

To narrow down the problem, please follow the steps below to test whether a
user in win 2003 domain can access the shares in win 2000 domain when
granting related permissions.

Step 1: Create a testAccount in the Win 2003 domain.
Step 2: In the win 2000 domain, manually grant permissions in a share to
the testAccount.
Step 3: Test whether testAccount can access the share.

If it works, please recheck the subinacl cmd you used.

Any updates, let us get in touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Frances [MSFT] · Guest

Hello Steve,

I read the information you provide for the new thread. It is different as
you provided before. Since it is very important to troubleshoot the
problem, I would like to confirm it again.

1. Can the user manually map the drives to the share as a domain user? What
is the result when he uses UNC, such as \\192.168.0.1 in Run box to access
the shares in the win2k domain?

Note: 192.168.0.1 is the computer's IP address which has shares.

2. In addition to mapping drive, is there any special action in the script?
Generally speaking, we use logon script or startup script to deploy the GPO
to the client. If the script needs to perform some action beyond the normal
user privilege, you need to deploy this script as a startup script, which
uses the computer account to perform the script. For more detail about the
startup script, please refer to the following article:

To assign computer startup scripts
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windo
ws2000/en/advanced/help/gptext_assigncomputerstartupscripts.htm

If the user can manually map the drive and access the resource without
"Access Denied", it is probably the VBScript problem, which is not
supported in this newsgroup.

If the script only maps drive for the user, I strongly recommend you use
"net use" command to access the shares. If it works, you can make a batch
file to map the drive. The syntax of "net use" command is in the following
article.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/net_use.mspx

Hope it helps. Any update, let us get in touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1