migrate primary group setting??
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
migrate primary group setting??

 
Post new topic   Reply to topic    Windows Server Forum Index -> Migration
Author Message
moparmanimal@gmail.com
Guest
Posted: Wed Oct 12, 2005 12:50 am    Post subject: migrate primary group setting?? Reply with quote
Hey all,
We use the primary group setting on the user account to identify what
department someone belongs to and map drives and other things based on
that. When I migrate a user (2k3 source domain to 2k3 target domain),
the primary group is not only not set but they are not a member of that
group either. All other group memberships are intact and the group in
question has been migrated with SIDHistory and is working fine.

For example: User A is a member of the group "Dummies" and this group
is set as primary in the source domain. In the target domain, after
migration, user A's primary group is set to the default (Domain Users)
and he is not a member of the group "Dummies". I have to manually add
the user to the group and set it as primary. After that everything
works as it should.

What would cause that?

Thanks a bunch,

Chris
Clackamas County, OR
Back to top
Ada Pan [MSFT]
Guest
Posted: Wed Oct 12, 2005 12:50 pm    Post subject: RE: migrate primary group setting?? Reply with quote
Hi Chris,

Based on my research, this problem occurs because of the method that the
Active Directory Migration Tool uses to migrate users from a different
Active Directory forest. When you migrate a user from a different Active
Directory forest, the Active Directory Migration Tool does not migrate the
user object. Instead, the Active Directory Migration Tool makes a call into
an Active Directory API LDAP_MOVE function. Generally, the LDAP_MOVE
function requires that the user who you migrate is not a member of a global
group. If the user that you migrade is a member of a global group, the
global group membership breaks after the migration is complete.

However, this requirement does not apply to users who are members of the
Domain Users group. Membership in the Domain Users group is considered an
implicit membership and occurs when that user is a member of a particular
domain. You do not have to explicitly add the user to the Domain Users
group, but an attribute is assigned to that user object to indicate
membership in the Domain Users group. If you set a user's primary group to
a security group other than the Domain Users group, the following three
behaviors occur:

- The user is now an explicit member of the Domain Users group.

- The user is no longer an explicit member of the security group that you
defined as that user's new primary group.

- The user is now an implicit member of the security group that you defined
as that user's new primary group.


This problem occurs because the Active Directory Migration Tool removes a
user from all global groups except the Domain Users group before it calls
the LDAP_MOVE function. Therefore, when you try to migrate a user whose
primary group is not the Domain Users group, the migration does not
succeed.

To work around this issue, I would suggest you follow the sequence of
accounts and objects migration which have been addressed in Figure 9.8 in
the following article.

Migration of a Windows NT 4.0 Account Domain to Active Directory
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookbook
/cookchp9.mspx

Hope it helps.

Regards,

Ada Pan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Back to top
moparmanimal@gmail.com
Guest
Posted: Wed Oct 12, 2005 8:51 pm    Post subject: Re: migrate primary group setting?? Reply with quote
WOW. Great explanation! Thanks for the response!

I have actually migrated objects in the right order. Groups first, then
users, both with SIDHistory - it's not that the user migration fails -
it's that the membership to the primary group gets dropped.

Your explanation did clarify the process for me though. I definately
appreciate that. The bummer is that there seems to be no way around the
issue except for a script that'll fix the group membership after
migration. There just doesnt seem to be a magic checkbox for this one...
Back to top
Ada Pan [MSFT]
Guest
Posted: Thu Oct 13, 2005 12:50 pm    Post subject: Re: migrate primary group setting?? Reply with quote
Hi Chris,

Glad to hear the information is helpful.

If you need further assistance on scripts, please feel free to submit your
question to windows.server.scripting newsgroup.

Regards,

Ada Pan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> Migration All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB