Security settings changed when using File Server Migration Wizard

Discussion in 'Server Migration' started by Paul, Nov 5, 2004.

  1. Paul

    Paul Guest

    Hi,

    I am in the middle of migrating the files on a Win 2000 server to 2003 and I
    have come accross a problem when using the File Server Migration Wizard. All
    the files get copied accross and most of the security settings on the share
    are ok. But, I have some folders that as well as having group access have
    individual people set up for access too, these individuals don't get copied
    accross even though the groups do. The log file for the wizard says that it
    has "cleaned up the security" and says that "DACL ACE" have been removed and
    "Owner replaced by Built in Administrator". What does this mean, is this
    what's causing the users to disappear?

    Any help would be much appreciated!
     
    Paul, Nov 5, 2004
    #1
    1. Advertisements

  2. Hello Paul,

    Thank you for posting. My name is Carsyn, and it is my pleasure to work
    with you on this issue.

    From your post, my understanding on this issue is: the user profile missed
    after migration . If I'm off base, please feel free to let me know.

    Target objects are given the same default security descriptor (ACL) which a
    newly created object would be given. The users in the Universal Group will
    not be migrated directly. Please check it first to make sure if the users
    you are missing belong to the universal group.

    Please let me know the information above so that I can provide further
    assistance on this problem. I am looking forward to your reply.

    If you have any questions or concerns, please do not hesitate to let me
    know. I am happy to be of further assistance. Thank you for your time and
    cooperation!

    Sincerely,
    Carsyn Gu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | Thread-Topic: Security settings changed when using File Server Migration
    Wizard
    | thread-index: AcTDXD54GgJWi2AtR4u7WAlfyjnTeg==
    | X-WBNR-Posting-Host: 212.135.192.130
    | From: "=?Utf-8?B?UGF1bA==?=" <>
    | Subject: Security settings changed when using File Server Migration Wizard
    | Date: Fri, 5 Nov 2004 09:24:02 -0800
    | Lines: 13
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.windows.server.migration
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:15020
    | X-Tomcat-NG: microsoft.public.windows.server.migration
    |
    | Hi,
    |
    | I am in the middle of migrating the files on a Win 2000 server to 2003
    and I
    | have come accross a problem when using the File Server Migration Wizard.
    All
    | the files get copied accross and most of the security settings on the
    share
    | are ok. But, I have some folders that as well as having group access
    have
    | individual people set up for access too, these individuals don't get
    copied
    | accross even though the groups do. The log file for the wizard says that
    it
    | has "cleaned up the security" and says that "DACL ACE" have been removed
    and
    | "Owner replaced by Built in Administrator". What does this mean, is this
    | what's causing the users to disappear?
    |
    | Any help would be much appreciated!
    |
     
    Carsyn Gu [MSFT], Nov 8, 2004
    #2
    1. Advertisements

  3. Paul

    Paul Guest

    Hi,

    Thanks for this but it doesn't solve my problem.

    I have migrated all the users into active directory using the exchange
    migration wizard and that worked fine.

    The users accounts on the new 2003 server are identical to the ones on the
    2000 server, the only difference is that in 2000 they are just in the users
    folder but in 2003 I have created groups within users folder.

    Using the file server migration wizard I am trying to copy a shared folder
    which has read/write access defined for administrators and a user group and
    an individual user. The folder is copied ok and most of the permissions are
    copied, only the individual user is missing.

    I look forward to hearing from you.

    Paul
     
    Paul, Nov 8, 2004
    #3
  4. Paul

    Paul Guest

    Hi,

    An extra thing that I've just noticed is that if I untick the "Resolve
    Invalid Security Descriptors" box the copied folders have "Account Unknown"
    added as a user in the permissions. Obviously it isn't finding the users
    that have been migrated but as far as I can see the accounts are the same.

    Any ideas?
     
    Paul, Nov 8, 2004
    #4
  5. Paul

    Paul Guest

    ....also, the source and destination servers are on different domains, does
    the wizard cope with this?
     
    Paul, Nov 8, 2004
    #5
  6. Hi Paul,

    Thanks for your reply.

    We need to check if the SIDHistory has been migrated from the Windows 2000
    domain to the Windows 2003 domain. The SIDHistry is very important for ADMT
    to resolve the account (SID) of the old domain to the mapping account in
    the new domain. If SID is not transferred, we will encounter the issue.

    "Resolve Invalid Security Descriptors" option has the following features:

    For Deny ACEs that have unresolvable SIDs, the wizard replaces the
    unresolvable SID with the Everyone SID (could become an issue)
    For Allow ACEs that have unresolvable SIDs, the ACE is dropped
    For Audit ACEs that have unresolvable SIDs, the ACE is dropped
    For an owner that has an unresolvable SID, the owner is set to the
    local Administrators group
    And finally, for a group that has an unresolvable SID, the group
    is set to the local Administrators group.

    In this case, the accounts that cannot be resolved were dropped. Therefore,
    we need to check if the SID History has been transferred and be used to be
    resolved the account mapping between the old domain and the new domain.

    Please let me know if above information helps. Looking forward of your
    reply.

    Sincerely,
    Carsyn Gu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | Thread-Topic: Security settings changed when using File Server Migration
    Wiz
    | thread-index: AcTFhXJnG+eoJui2SLqQIMkGt0LhEQ==
    | X-WBNR-Posting-Host: 212.135.192.130
    | From: "=?Utf-8?B?UGF1bA==?=" <>
    | References: <>
    <>
    <>
    <>
    | Subject: RE: Security settings changed when using File Server Migration
    Wiz
    | Date: Mon, 8 Nov 2004 03:24:01 -0800
    | Lines: 120
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.windows.server.migration
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:15081
    | X-Tomcat-NG: microsoft.public.windows.server.migration
    |
    | ...also, the source and destination servers are on different domains,
    does
    | the wizard cope with this?
    |
    | "Paul" wrote:
    |
    | > Hi,
    | >
    | > An extra thing that I've just noticed is that if I untick the "Resolve
    | > Invalid Security Descriptors" box the copied folders have "Account
    Unknown"
    | > added as a user in the permissions. Obviously it isn't finding the
    users
    | > that have been migrated but as far as I can see the accounts are the
    same.
    | >
    | > Any ideas?
    | >
    | > "Paul" wrote:
    | >
    | > > Hi,
    | > >
    | > > Thanks for this but it doesn't solve my problem.
    | > >
    | > > I have migrated all the users into active directory using the
    exchange
    | > > migration wizard and that worked fine.
    | > >
    | > > The users accounts on the new 2003 server are identical to the ones
    on the
    | > > 2000 server, the only difference is that in 2000 they are just in the
    users
    | > > folder but in 2003 I have created groups within users folder.
    | > >
    | > > Using the file server migration wizard I am trying to copy a shared
    folder
    | > > which has read/write access defined for administrators and a user
    group and
    | > > an individual user. The folder is copied ok and most of the
    permissions are
    | > > copied, only the individual user is missing.
    | > >
    | > > I look forward to hearing from you.
    | > >
    | > > Paul
    | > >
    | > > "Carsyn Gu [MSFT]" wrote:
    | > >
    | > > > Hello Paul,
    | > > >
    | > > > Thank you for posting. My name is Carsyn, and it is my pleasure to
    work
    | > > > with you on this issue.
    | > > >
    | > > > From your post, my understanding on this issue is: the user profile
    missed
    | > > > after migration . If I'm off base, please feel free to let me know.
    | > > >
    | > > > Target objects are given the same default security descriptor (ACL)
    which a
    | > > > newly created object would be given. The users in the Universal
    Group will
    | > > > not be migrated directly. Please check it first to make sure if the
    users
    | > > > you are missing belong to the universal group.
    | > > >
    | > > > Please let me know the information above so that I can provide
    further
    | > > > assistance on this problem. I am looking forward to your reply.
    | > > >
    | > > > If you have any questions or concerns, please do not hesitate to
    let me
    | > > > know. I am happy to be of further assistance. Thank you for your
    time and
    | > > > cooperation!
    | > > >
    | > > > Sincerely,
    | > > > Carsyn Gu
    | > > > Microsoft Online Partner Support
    | > > >
    | > > > Get Secure! - www.microsoft.com/security
    | > > >
    | > > > =====================================================
    | > > > When responding to posts, please "Reply to Group" via
    | > > > your newsreader so that others may learn and benefit
    | > > > from your issue.
    | > > > =====================================================
    | > > >
    | > > > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    | > > >
    | > > > --------------------
    | > > > | Thread-Topic: Security settings changed when using File Server
    Migration
    | > > > Wizard
    | > > > | thread-index: AcTDXD54GgJWi2AtR4u7WAlfyjnTeg==
    | > > > | X-WBNR-Posting-Host: 212.135.192.130
    | > > > | From: "=?Utf-8?B?UGF1bA==?=" <>
    | > > > | Subject: Security settings changed when using File Server
    Migration Wizard
    | > > > | Date: Fri, 5 Nov 2004 09:24:02 -0800
    | > > > | Lines: 13
    | > > > | Message-ID: <>
    | > > > | MIME-Version: 1.0
    | > > > | Content-Type: text/plain;
    | > > > | charset="Utf-8"
    | > > > | Content-Transfer-Encoding: 7bit
    | > > > | X-Newsreader: Microsoft CDO for Windows 2000
    | > > > | Content-Class: urn:content-classes:message
    | > > > | Importance: normal
    | > > > | Priority: normal
    | > > > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | > > > | Newsgroups: microsoft.public.windows.server.migration
    | > > > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    | > > > | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | > > > | Xref: cpmsftngxa10.phx.gbl
    microsoft.public.windows.server.migration:15020
    | > > > | X-Tomcat-NG: microsoft.public.windows.server.migration
    | > > > |
    | > > > | Hi,
    | > > > |
    | > > > | I am in the middle of migrating the files on a Win 2000 server to
    2003
    | > > > and I
    | > > > | have come accross a problem when using the File Server Migration
    Wizard.
    | > > > All
    | > > > | the files get copied accross and most of the security settings on
    the
    | > > > share
    | > > > | are ok. But, I have some folders that as well as having group
    access
    | > > > have
    | > > > | individual people set up for access too, these individuals don't
    get
    | > > > copied
    | > > > | accross even though the groups do. The log file for the wizard
    says that
    | > > > it
    | > > > | has "cleaned up the security" and says that "DACL ACE" have been
    removed
    | > > > and
    | > > > | "Owner replaced by Built in Administrator". What does this mean,
    is this
    | > > > | what's causing the users to disappear?
    | > > > |
    | > > > | Any help would be much appreciated!
    | > > > |
    | > > >
    | > > >
    |
     
    Carsyn Gu [MSFT], Nov 9, 2004
    #6
  7. Paul

    Paul Guest

    Thanks for this, how do I migrate the sid history though?

     
    Paul, Nov 10, 2004
    #7
  8. Hi Paul,

    Please refer to the following link to perform the migration.

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;832221

    Let me know if you need any further help.

    Sincerely,
    Carsyn Gu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | Thread-Topic: Security settings changed when using File Server Migration
    Wiz
    | thread-index: AcTHS1Wwfg8iE7icQAm0tBY9v76icw==
    | X-WBNR-Posting-Host: 212.135.192.130
    | From: "=?Utf-8?B?UGF1bA==?=" <>
    | References: <>
    <>
    <>
    <>
    <>
    <>
    | Subject: RE: Security settings changed when using File Server Migration
    Wiz
    | Date: Wed, 10 Nov 2004 09:33:04 -0800
    | Lines: 228
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.windows.server.migration
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:15181
    | X-Tomcat-NG: microsoft.public.windows.server.migration
    |
    | Thanks for this, how do I migrate the sid history though?
    |
    | "Carsyn Gu [MSFT]" wrote:
    |
    | > Hi Paul,
    | >
    | > Thanks for your reply.
    | >
    | > We need to check if the SIDHistory has been migrated from the Windows
    2000
    | > domain to the Windows 2003 domain. The SIDHistry is very important for
    ADMT
    | > to resolve the account (SID) of the old domain to the mapping account
    in
    | > the new domain. If SID is not transferred, we will encounter the issue.
    | >
    | > "Resolve Invalid Security Descriptors" option has the following
    features:
    | >
    | > For Deny ACEs that have unresolvable SIDs, the wizard replaces
    the
    | > unresolvable SID with the Everyone SID (could become an issue)
    | > For Allow ACEs that have unresolvable SIDs, the ACE is dropped
    | > For Audit ACEs that have unresolvable SIDs, the ACE is dropped
    | > For an owner that has an unresolvable SID, the owner is set to
    the
    | > local Administrators group
    | > And finally, for a group that has an unresolvable SID, the
    group
    | > is set to the local Administrators group.
    | >
    | > In this case, the accounts that cannot be resolved were dropped.
    Therefore,
    | > we need to check if the SID History has been transferred and be used to
    be
    | > resolved the account mapping between the old domain and the new domain.
    | >
    | > Please let me know if above information helps. Looking forward of your
    | > reply.
    | >
    | > Sincerely,
    | > Carsyn Gu
    | > Microsoft Online Partner Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > When responding to posts, please "Reply to Group" via
    | > your newsreader so that others may learn and benefit
    | > from your issue.
    | > =====================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    | >
    | > --------------------
    | > | Thread-Topic: Security settings changed when using File Server
    Migration
    | > Wiz
    | > | thread-index: AcTFhXJnG+eoJui2SLqQIMkGt0LhEQ==
    | > | X-WBNR-Posting-Host: 212.135.192.130
    | > | From: "=?Utf-8?B?UGF1bA==?=" <>
    | > | References: <>
    | > <>
    | > <>
    | > <>
    | > | Subject: RE: Security settings changed when using File Server
    Migration
    | > Wiz
    | > | Date: Mon, 8 Nov 2004 03:24:01 -0800
    | > | Lines: 120
    | > | Message-ID: <>
    | > | MIME-Version: 1.0
    | > | Content-Type: text/plain;
    | > | charset="Utf-8"
    | > | Content-Transfer-Encoding: 7bit
    | > | X-Newsreader: Microsoft CDO for Windows 2000
    | > | Content-Class: urn:content-classes:message
    | > | Importance: normal
    | > | Priority: normal
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | > | Newsgroups: microsoft.public.windows.server.migration
    | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    | > | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | > | Xref: cpmsftngxa10.phx.gbl
    microsoft.public.windows.server.migration:15081
    | > | X-Tomcat-NG: microsoft.public.windows.server.migration
    | > |
    | > | ...also, the source and destination servers are on different domains,
    | > does
    | > | the wizard cope with this?
    | > |
    | > | "Paul" wrote:
    | > |
    | > | > Hi,
    | > | >
    | > | > An extra thing that I've just noticed is that if I untick the
    "Resolve
    | > | > Invalid Security Descriptors" box the copied folders have "Account
    | > Unknown"
    | > | > added as a user in the permissions. Obviously it isn't finding the
    | > users
    | > | > that have been migrated but as far as I can see the accounts are
    the
    | > same.
    | > | >
    | > | > Any ideas?
    | > | >
    | > | > "Paul" wrote:
    | > | >
    | > | > > Hi,
    | > | > >
    | > | > > Thanks for this but it doesn't solve my problem.
    | > | > >
    | > | > > I have migrated all the users into active directory using the
    | > exchange
    | > | > > migration wizard and that worked fine.
    | > | > >
    | > | > > The users accounts on the new 2003 server are identical to the
    ones
    | > on the
    | > | > > 2000 server, the only difference is that in 2000 they are just in
    the
    | > users
    | > | > > folder but in 2003 I have created groups within users folder.
    | > | > >
    | > | > > Using the file server migration wizard I am trying to copy a
    shared
    | > folder
    | > | > > which has read/write access defined for administrators and a user
    | > group and
    | > | > > an individual user. The folder is copied ok and most of the
    | > permissions are
    | > | > > copied, only the individual user is missing.
    | > | > >
    | > | > > I look forward to hearing from you.
    | > | > >
    | > | > > Paul
    | > | > >
    | > | > > "Carsyn Gu [MSFT]" wrote:
    | > | > >
    | > | > > > Hello Paul,
    | > | > > >
    | > | > > > Thank you for posting. My name is Carsyn, and it is my pleasure
    to
    | > work
    | > | > > > with you on this issue.
    | > | > > >
    | > | > > > From your post, my understanding on this issue is: the user
    profile
    | > missed
    | > | > > > after migration . If I'm off base, please feel free to let me
    know.
    | > | > > >
    | > | > > > Target objects are given the same default security descriptor
    (ACL)
    | > which a
    | > | > > > newly created object would be given. The users in the Universal
    | > Group will
    | > | > > > not be migrated directly. Please check it first to make sure if
    the
    | > users
    | > | > > > you are missing belong to the universal group.
    | > | > > >
    | > | > > > Please let me know the information above so that I can provide
    | > further
    | > | > > > assistance on this problem. I am looking forward to your reply.
    | > | > > >
    | > | > > > If you have any questions or concerns, please do not hesitate
    to
    | > let me
    | > | > > > know. I am happy to be of further assistance. Thank you for
    your
    | > time and
    | > | > > > cooperation!
    | > | > > >
    | > | > > > Sincerely,
    | > | > > > Carsyn Gu
    | > | > > > Microsoft Online Partner Support
    | > | > > >
    | > | > > > Get Secure! - www.microsoft.com/security
    | > | > > >
    | > | > > > =====================================================
    | > | > > > When responding to posts, please "Reply to Group" via
    | > | > > > your newsreader so that others may learn and benefit
    | > | > > > from your issue.
    | > | > > > =====================================================
    | > | > > >
    | > | > > > This posting is provided "AS IS" with no warranties, and
    confers no
    | > rights.
    | > | > > >
    | > | > > > --------------------
    | > | > > > | Thread-Topic: Security settings changed when using File
    Server
    | > Migration
    | > | > > > Wizard
    | > | > > > | thread-index: AcTDXD54GgJWi2AtR4u7WAlfyjnTeg==
    | > | > > > | X-WBNR-Posting-Host: 212.135.192.130
    | > | > > > | From: "=?Utf-8?B?UGF1bA==?=" <>
    | > | > > > | Subject: Security settings changed when using File Server
    | > Migration Wizard
    | > | > > > | Date: Fri, 5 Nov 2004 09:24:02 -0800
    | > | > > > | Lines: 13
    | > | > > > | Message-ID:
    <>
    | > | > > > | MIME-Version: 1.0
    | > | > > > | Content-Type: text/plain;
    | > | > > > | charset="Utf-8"
    | > | > > > | Content-Transfer-Encoding: 7bit
    | > | > > > | X-Newsreader: Microsoft CDO for Windows 2000
    | > | > > > | Content-Class: urn:content-classes:message
    | > | > > > | Importance: normal
    | > | > > > | Priority: normal
    | > | > > > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | > | > > > | Newsgroups: microsoft.public.windows.server.migration
    | > | > > > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    | > | > > > | Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | > | > > > | Xref: cpmsftngxa10.phx.gbl
    | > microsoft.public.windows.server.migration:15020
    | > | > > > | X-Tomcat-NG: microsoft.public.windows.server.migration
    | > | > > > |
    | > | > > > | Hi,
    | > | > > > |
    | > | > > > | I am in the middle of migrating the files on a Win 2000
    server to
    | > 2003
    | > | > > > and I
    | > | > > > | have come accross a problem when using the File Server
    Migration
    | > Wizard.
    | > | > > > All
    | > | > > > | the files get copied accross and most of the security
    settings on
    | > the
    | > | > > > share
    | > | > > > | are ok. But, I have some folders that as well as having
    group
    | > access
    | > | > > > have
    | > | > > > | individual people set up for access too, these individuals
    don't
    | > get
    | > | > > > copied
    | > | > > > | accross even though the groups do. The log file for the
    wizard
    | > says that
    | > | > > > it
    | > | > > > | has "cleaned up the security" and says that "DACL ACE" have
    been
    | > removed
    | > | > > > and
    | > | > > > | "Owner replaced by Built in Administrator". What does this
    mean,
    | > is this
    | > | > > > | what's causing the users to disappear?
    | > | > > > |
    | > | > > > | Any help would be much appreciated!
    | > | > > > |
    | > | > > >
    | > | > > >
    | > |
    | >
    | >
    |
     
    Carsyn Gu [MSFT], Nov 11, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.