Moving personal data folders from one server to another

We have a server that we're getting ready to decommision. We bougt a new
server with a few TB of space on it.

Our network uses Active Directory (server 2003) to keep everyone's personal
data folders (My Documents, Desktop, Application Data, Start Menu) on a
share on the server we're getting ready to decommision. The Active Directory
settings are on an OU level under "User Configuration/Windows
Settings/Folder Redirection". This works great however the problem has to do
with moving the personal folders from the share on the old server to the
share on the new server.

The security on the folders under each users AD username is set to them
only. This is preventing me from copying the folders over to the new share.

Yes, of course I could take ownership but I would have to do this for at
least three folders individually per individual user account. This would be
taking ownership over potentially thousands of fodlers, one by one, and
setting new permissions on them all, one by one.

Is there a better way to do this? I sure hope so.

TIA,
Jim

"Jim in Arizona" <> wrote in message
news:...
> We have a server that we're getting ready to decommision. We bougt a new
> server with a few TB of space on it.
>
> Our network uses Active Directory (server 2003) to keep everyone's
> personal data folders (My Documents, Desktop, Application Data, Start
> Menu) on a share on the server we're getting ready to decommision. The
> Active Directory settings are on an OU level under "User
> Configuration/Windows Settings/Folder Redirection". This works great
> however the problem has to do with moving the personal folders from the
> share on the old server to the share on the new server.
>
> The security on the folders under each users AD username is set to them
> only. This is preventing me from copying the folders over to the new
> share.
>
> Yes, of course I could take ownership but I would have to do this for at
> least three folders individually per individual user account. This would
> be taking ownership over potentially thousands of fodlers, one by one, and
> setting new permissions on them all, one by one.
>
> Is there a better way to do this? I sure hope so.
>
> TIA,
> Jim
>

Are you saying that the "Domain Admins" group has no access
to these folders?

> Are you saying that the "Domain Admins" group has no access
> to these folders?

NO. IN fact, I can't even read the permissions (unless the folder is my
own).

Each individual user as a folder with their name (ie: jsmith), within that
are three folders: Application Data, Destkop and My Documents. It's those 3
folders that have the strict permissioning set on them.

When I view the folders with my name on, the permissions are set to me and
System. This appears to be the default security permissions when folder
redirection is set using AD GP.

Looking further thorughout the web and doing a little experimention, it
appears that I can use NTBACKUP to get the job done, which will also retain
the permissions when I restore the file on the new server. I have found no
other way of doing it otherwise.

"Jim in Arizona" <> wrote in message
news:...
>> Are you saying that the "Domain Admins" group has no access
>> to these folders?
>
> NO. IN fact, I can't even read the permissions (unless the folder is my
> own).
>
> Each individual user as a folder with their name (ie: jsmith), within that
> are three folders: Application Data, Destkop and My Documents. It's those
> 3 folders that have the strict permissioning set on them.
>
> When I view the folders with my name on, the permissions are set to me and
> System. This appears to be the default security permissions when folder
> redirection is set using AD GP.
>
> Looking further thorughout the web and doing a little experimention, it
> appears that I can use NTBACKUP to get the job done, which will also
> retain the permissions when I restore the file on the new server. I have
> found no other way of doing it otherwise.
>

From what you report it appears that the only accounts that
have access to the user's folder are
a) The user's own account
b) The System account
with the user presumably being the owner. This is a most
unusual setting. Since you appear the run ntbackup.exe as
a scheduled job under the System account, it would be able
to access the folders.

I can see two ways for you to transfer the data to the new
server:
- Change the permissions so that domain admins can access it, or
- Create a scheduled task under the system account that copies
the files to a suitable transfer medium, e.g. a portable disk. This
task could use ntbackup.exe, xcopy.exe or robocopy.exe.
The latter two have switches that will copy the ACLs.
Ntbackup.exe automatically copies ACLs.

Note that it is not the COMMAND that determines access
rights but the ACCOUNT under which it is run.

"Pegasus (MVP)" <> wrote in message
news:...
>
> From what you report it appears that the only accounts that
> have access to the user's folder are
> a) The user's own account
> b) The System account
> with the user presumably being the owner. This is a most
> unusual setting. Since you appear the run ntbackup.exe as
> a scheduled job under the System account, it would be able
> to access the folders.
>
> I can see two ways for you to transfer the data to the new
> server:
> - Change the permissions so that domain admins can access it, or
> - Create a scheduled task under the system account that copies
> the files to a suitable transfer medium, e.g. a portable disk. This
> task could use ntbackup.exe, xcopy.exe or robocopy.exe.
> The latter two have switches that will copy the ACLs.
> Ntbackup.exe automatically copies ACLs.
>
> Note that it is not the COMMAND that determines access
> rights but the ACCOUNT under which it is run.

It would seem that when you set up folder redirection in an AD group policy,
the folders on the share that is specified are created with only the user
and system having access rights to the My Documents, Desktop and Application
Data folders (and the start menu if that was also redirected).

ntbackup was successful in backing up, then restoring everyone's individual
folders to the new server location. ntbackup was ran with a domain admin
account.

The security settings on the individual folders are the way they're suppose
to be, as far as I know. No other settings were changed when setting up
folder redirection.

I just ran a test. I ran ntbackup as a domain admin on the server where
users's folders are. These folders have the security permissions mentioned
above where only the user and system are able to gain access and I can't
even READ the permissions (unless its my own folders). I used ntbackup to
backup the users folder (and all folders/files within). I then moved the bkf
file over to my workstation and performed a restore of the backup. In the
advanced options, I chose a new location (my C Drive) and chose not to
retore security settings/permissions on the restore. Once the restore was
done, I was able to access all folders/files within with no problem. At
least regular users don't have such capabilities (I checked).

"Jim in Arizona" <> wrote in message
news:...
>
> "Pegasus (MVP)" <> wrote in message
> news:...
>>
>> From what you report it appears that the only accounts that
>> have access to the user's folder are
>> a) The user's own account
>> b) The System account
>> with the user presumably being the owner. This is a most
>> unusual setting. Since you appear the run ntbackup.exe as
>> a scheduled job under the System account, it would be able
>> to access the folders.
>>
>> I can see two ways for you to transfer the data to the new
>> server:
>> - Change the permissions so that domain admins can access it, or
>> - Create a scheduled task under the system account that copies
>> the files to a suitable transfer medium, e.g. a portable disk. This
>> task could use ntbackup.exe, xcopy.exe or robocopy.exe.
>> The latter two have switches that will copy the ACLs.
>> Ntbackup.exe automatically copies ACLs.
>>
>> Note that it is not the COMMAND that determines access
>> rights but the ACCOUNT under which it is run.
>
> It would seem that when you set up folder redirection in an AD group
> policy, the folders on the share that is specified are created with only
> the user and system having access rights to the My Documents, Desktop and
> Application Data folders (and the start menu if that was also redirected).
>
> ntbackup was successful in backing up, then restoring everyone's
> individual folders to the new server location. ntbackup was ran with a
> domain admin account.
>
> The security settings on the individual folders are the way they're
> suppose to be, as far as I know. No other settings were changed when
> setting up folder redirection.
>
> I just ran a test. I ran ntbackup as a domain admin on the server where
> users's folders are. These folders have the security permissions mentioned
> above where only the user and system are able to gain access and I can't
> even READ the permissions (unless its my own folders). I used ntbackup to
> backup the users folder (and all folders/files within). I then moved the
> bkf file over to my workstation and performed a restore of the backup. In
> the advanced options, I chose a new location (my C Drive) and chose not to
> retore security settings/permissions on the restore. Once the restore was
> done, I was able to access all folders/files within with no problem. At
> least regular users don't have such capabilities (I checked).
>

Thanks for the feedback. If this was my own server then I would
probe further why ntbackup.exe should be able to access the
users' folders when you can't. What you report is totally at variance
with my understanding of permissions - they are always account-
specific, never tool-specific.