Windows Server

Rich Roller · Guest

On a very small network, I've been testing ADMT migrations: users & computers.
(NT4->WS2003)

I've had some problems with the Computer Migration Wizard, especially with the
dispatched agent failing due to "access denied". So I gave up on that and was
plannng to use moveuser.exe for local profile migration.

But here is the real problem that I have just discovered today and I don't know
how to get out of: When I run GPEDIT.MSC and view the User Rights policies
under Comp.Config\Win.Settings\Loc.Policies, I see a lot of important policies
where some of the group names are not showing and instead I'm seeing
*S-1-5-32-548, -549 & -550.

As a result I've been having problems on that XP machine for certain
non-administrator users, which include logging in, ability to do a shutdown,
etc.

I'm not sure what caused this policy "corruption", but I suspect it may be a
result of a previous ADMT migration. The one that I suspect most is Computer
Migration Wizard becuase of the screen "Translate Objects" which has all 7
objects selected by default, including: Local Groups, Registry, User Rights,
etc, etc. I always left all 7 selected.

Do you think I'm right to suspect that this was the cause?

How could I reset XP so that it sees & displays the correct groups (instead of
SID's) and get myself out of this mess?

HELP! I cannot afford to wipe this XP machine. I didn't spare lab machine to
use so I had to use a real one from production (mine).

Thanks in advance!

Rich

Vincent Xu [MSFT] · Guest

Hi Rich,

I think the problem is really strange. So I'd like to confirm that the
problematic PC now is in the old domain or the new domain? If it is still
in old domain, I think this issue may not related to the migration.

In addtion, you may tried to add a local user into one of the user rights
to see if the user name is displayed.

I also suggest you go to registry
key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList to see these SIDs in user rights assigment
belong to which user.

Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

--------------------

Rich Roller · Guest

Vincent,

Yes it is strange.

The problem PC is in the NEW domain. The problems appeared after I did ADMT
Computer Migration. I have a strong suspicion that its option to Translate
Objects (e.g. Local Groups, Registry, User Profiles, User Rights) caused the
problems.

The SID's that don't resolve to group names are wellknown SID's that
correspond to Built-in Groups such as Account/System/Printer Operators. I
don't know if these particular "broken SID's" are causing me problems, but I
do think that they indicate there was some sort of problem.

On the XP machine I was able to fix the logon problem by making a change to
the Default Domain Controllers "Logon Locally" policies. But I believe that
change was just overriding the root problem which I believe is that the
local security objects/policies/registry on the XP machine got messed up.

The logon locally problem was the first that I noticed on the XP PC, but
after that I noticed also that non-administrator users couldn't choose
"Start, Shutdown, Shutdown" (only option is "Logoff"), could not turn off
firewall, etc. So I believe that changes to local policy/settings are
causing more widespread problems.

What would be most useful to me right now would be to find more detailed
technical information/advice about what exactly does ADMT Computer Migration
do for each of the Translate Object choices (as listed at top). Then I
might be able to investigate the things that it changes ON THE XP CLIENT
machine and perhaps fix them? As long as there aren't too many changes that
the wizard/agent made, I might be able to change them back.

Or if there was some magic ADMT roll-back option where I could undo the
computer migration? But even if that existed, I'm not sure if I would trust
it. ;-) And, I don't really want to migrate the PC back to the old
domain... I just want it to work properly in the new domain.

Thanks.

-Rich

"Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com> wrote in message
news:mLPaFOmwFHA.580@TK2MSFTNGXA01.phx.gbl...

Rich Roller · Guest

p.s. The problem where I couldn't turn off firewall has been fixed... it was
not related.

"Rich Roller" <rich@*REMOVE-THIS*r2c.com> wrote in message
news:uJ2NTPqwFHA.908@tk2msftngp13.phx.gbl...

Rich Roller · Guest

I haven't heard from Jo Wu for awhile in the private newsgroup. If he's
still actively researching my problem he hasn't told me so. Hopefully I'll
hear from him. -Rich

"Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com> wrote in message
news:6Fkkff0wFHA.768@TK2MSFTNGXA01.phx.gbl...

Vincent Xu [MSFT] · Guest

Hi Rich,

Thank you for your clarifying.

Mostly, this issue may occur because the migration is not completely and
these sid belongs to the groups in old domain. So It display incorrectly.

I noticed that you have post the same issue in private newsgroup and my
colleague Joe is working with you. I have contact Joe that I'd like to
suggest you keep up folllowing that thread due to Joe is a very senior
specialist. Hope your problme would be fixed there.

Thank you for using Microsoft Newsgroup.

Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

--------------------

Vincent Xu [MSFT] · Guest

Hi Rich,

I have confirmed with Joe that he is working with you and will keep update.
Hope everything goes well.

Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

--------------------

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1