Windows

General discussion

Gravatar
Locked

DCPromo, Permissions & Users

By razz2 ·
OK, I have my ideas on the answer to this but would
love some input as I have never run across such a
bizarre, yet well entrenched design. I have a new client
with workstations running mostly Win98. A few are
XPPro. The last tech sold them aserver and Win2k
Server . All licensing is correct, but under review. BUT,
he created all local users (over 20 of them) instead of
setting up a Domain and AD. My guess is he did not
know how from what I have seen. Effectively it's P2P.
TheXP stations have matching Local acct's created that
the users log in as. All stations have staic private ip's
and manually mapped drives. I will be setting up this
LAN on AD with Domain Users & Groups, DHCP, DNS,
and user home directories etc. Here is the area of
concern. When I do dcpromo I will loose all the local
acct's. I will have to create Domain acct's. What will
happen to file permissions? I am assuming I will have
to reassign the new acct's to the old files or simply
move files to the user dir. What about accounting
database files and the like that can not be moved? Is
there a way to migrate the local acct's to domain
thereby maintaining and SID's? When the XP users
now logon as a domain user, and not their local user,
they will get a new profile and I will have to move their
my documents as well. Any idea's on the smoothest
way to have the domain but still have user access to
their files?

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

DCPromo, Permissions & Users

by razz2 In reply to DCPromo, Permissions & Us ...

Point value changed by question poster.

gravatar
Collapse -

DCPromo, Permissions & Users

by ewgny In reply to DCPromo, Permissions & Us ...

Yes, when you DCPromo you will lose all local user
accounts. Since you only have about 20 users, the best thing to do is start from scratch. I don't think it is possible to migrate the Sids or use Sid History etc. Even if you could it would be moredifficult then creating new accounts.
You may want to take the opportunity to organize your folder structure so when you set permissions for your new security groups, they will be inherited down. As far as the mapped drives are concerned, you can create bat files to map the drives. They would go in your scripts folder in side your sysvol folder. Then just apply the needed script to each individual user account, depending on what drives they need mapped

gravatar
Collapse -

DCPromo, Permissions & Users

by razz2 In reply to DCPromo, Permissions & Us ...

Thanks for the answer, (very fast) but perhaps I miss stated. I will
be doing logon.bat's and the user directories with perrmissions set as
needed etc. I am very familiar with all the design and admin of what I
need. I was planning onstarting from scratch with the accounts as
well, but the concern is file acces to existing files both on the server
and local xp boxes. If I start with new "domain" accounts the ACL on
the files will not reflect the users new account. On the server I can
assign permissions with only a few issues. On the workstations many
of the users have a lot of local files. The ACL will contain the "owner"
as the "local" account, not the "domain" account. I am trying to avoid
and upgrade to Domain and AD without causing a massive amount of
file access errors.

gravatar
Collapse -

DCPromo, Permissions & Users

by kmcniff In reply to DCPromo, Permissions & Us ...

Yes, you will loose all local users on the server but not on the local workstations. Tou are also correct that SIDS will change and therefore ACL's will no longer be valid.
To help, you could script the CACLS or XACLS utilities to export all of the ACL's for the file system on the server (run this at night when system is not being used!). Take the output file and analyze the ACLs. You can then take this and modify the file with the new user/group names to script the ACLs with the updated SIDS.
I have used this same technique in enterprise migrations. Test your scripting on a test box (server or workstation it doesn't matter just 2k/xp ntfs5). After you get it working you will have a script for doing a number of things like Security analysis of the file system, or a host of migration issues.
The CACLS is provided with NT/2K/XP and the XACLS is a resource kit utility. I have used these utilities and associated scripts to harden servers and other file system fixes.
Remember that permissions on printers and shares will also need to be fixed. Just document who needs what.

The botton line is this will procede as well as it is planned and tested. This is a good opportunity to hone skills for that much larger project. Also remember to BACKUP everything before making ANY changes, Murphy is waiting.

gravatar
Collapse -

DCPromo, Permissions & Users

by razz2 In reply to DCPromo, Permissions & Us ...

I had allready figured it out by the time I read this, but this was the most logical solution. (wish I had thought of it.) Quick note that the local server accounts DID migrate automatically. 3 or 4 of them had some logon issues and I recreated themno problem. Then I just used GPO's for folder redirection on the XP & 200 boxes, login scripts for the 9x boxes to map drives, and profiles for home directories. All is fine and good. Thanks for the ideas. I actually set up a test machine is how I figured out the solution. All the test accounts created on the test "member" server migrated with dcpromo, and all test permissions moved as well. Sorry it took so long to respond but I never got a email notification and never looked as I had it resolved.

gravatar
Collapse -

DCPromo, Permissions & Users

by ewgny In reply to DCPromo, Permissions & Us ...

The answer for the local file problem is ...
move all of their local files onto the server where they should be anyway. They can then be backed up easiar. They can access them via a mapped drive, and you can control access. Once your workstations get to a 2000/xp environment, you can use redirected folders via group policy instead. But in the meantime access via a mapped drive should suffice. It might be a pain to move everything, but having files all over the network is a nightmare. You can do one user at a time so it should not disrupt normal operations.

gravatar
Collapse -

DCPromo, Permissions & Users

by razz2 In reply to DCPromo, Permissions & Us ...

Yeah, the file issue was ready to go with GPO's and redirection (maps on 9x boxes). The concern was the smoothest way to maintain permissions. All accounts DID migrate and then were cleared off the workstations. All is great. Thanks for the time youtook.

gravatar
Collapse -

DCPromo, Permissions & Users

by Widgey Woo In reply to DCPromo, Permissions & Us ...

you can set a gpo for the Domain to automatically move the my documents path to a folder you designate if you use the %username% vairiable in the path name, only the ADMINISTRATOR and the USER whose file it is have access

gravatar
Collapse -

DCPromo, Permissions & Users

by razz2 In reply to DCPromo, Permissions & Us ...

That is exactly what I did. In fact had planned on GPO's anyway. Just was concerned with ACL's. The accounts on the member server DID migrate though, so no pain at alll. Thanks for you time

gravatar
Collapse -

DCPromo, Permissions & Users

by razz2 In reply to DCPromo, Permissions & Us ...

This question was closed by the author

Back to Windows Forum
10 total posts (Page 1 of 1)  

Start or search

Related Discussions

Related Forums