fiyona
asked on
administrator migration
Hi,
i have shared folders on a server in nt domain. and unfortunaltely nt domain administrator is the acl list for some reason. when i perform security translation as a part of nt migration to active directory, i had no problem except the fact that it doesnt translate security related administrator account in nt domain. to start with , i figure that since admt doesnt migrate local buil-in account, it can not also translae security related with this accout.
is there any way to overome this issue. ?
thanks
Fiyona
Thanks
i have shared folders on a server in nt domain. and unfortunaltely nt domain administrator is the acl list for some reason. when i perform security translation as a part of nt migration to active directory, i had no problem except the fact that it doesnt translate security related administrator account in nt domain. to start with , i figure that since admt doesnt migrate local buil-in account, it can not also translae security related with this accout.
is there any way to overome this issue. ?
thanks
Fiyona
Thanks
Here's some examples: Old domain is called abc and new domain is called xyz
subinacl /share \\servername\* /migratetodomain=abc=xyz (modifies share permissions on all shares on 'servername')
subinacl /printer \\servername\* /migratetodomain=abc=xyz (modifies printer permissions)
subinacl /subdirectories C:\* /migratetodomain=abc=xyz (modifies ntfs permissions on all files/subdirectories on the C: drive)
subinacl /share \\servername\* /migratetodomain=abc=xyz (modifies share permissions on all shares on 'servername')
subinacl /printer \\servername\* /migratetodomain=abc=xyz (modifies printer permissions)
subinacl /subdirectories C:\* /migratetodomain=abc=xyz (modifies ntfs permissions on all files/subdirectories on the C: drive)
ASKER
Hi
thanks for the answer. I was going to test it but i am having some issue with my envronment. I have insalled this subinacl on my NTbox and when i type the command subinacl /share \\servername\* /migratetodomain=abc=xyz or subinacl /subdirectories C:\* /migratetodomain=abc=xyz, i am getting this error message saying that " the procedure entry point getfilesizeEx couldnt be located in the dynamic link library kernel2.dll. do i need to make some confiuration. maybe it is just NT problem.
and do i need to run this command after performing security translation on the server or before .
thanks.
Fiyona
thanks for the answer. I was going to test it but i am having some issue with my envronment. I have insalled this subinacl on my NTbox and when i type the command subinacl /share \\servername\* /migratetodomain=abc=xyz or subinacl /subdirectories C:\* /migratetodomain=abc=xyz, i am getting this error message saying that " the procedure entry point getfilesizeEx couldnt be located in the dynamic link library kernel2.dll. do i need to make some confiuration. maybe it is just NT problem.
and do i need to run this command after performing security translation on the server or before .
thanks.
Fiyona
ASKER
Hi,
Finally i made some test. I didnt have the problem with windows2000. but when run the command subinacl /share \\servername\* /migratetodomain=abc=xyz. it really translate ntdomain\admins to addomain\admins. No problem, thanks to you.
But when i type subinacl /subdirectories C:\* /migratetodomain=abc=xyz , it doesnt translate.
can you think of any reason as to why it can not do it when it comes to NTFS .
thanks
F.
Finally i made some test. I didnt have the problem with windows2000. but when run the command subinacl /share \\servername\* /migratetodomain=abc=xyz. it really translate ntdomain\admins to addomain\admins. No problem, thanks to you.
But when i type subinacl /subdirectories C:\* /migratetodomain=abc=xyz , it doesnt translate.
can you think of any reason as to why it can not do it when it comes to NTFS .
thanks
F.
ASKER
Sorry again, i ve just run the command again, this time it did translate.
tomorrow i am going to make it more test and let you know but thanks again as it saves me lots of time.
Fiyona
tomorrow i am going to make it more test and let you know but thanks again as it saves me lots of time.
Fiyona
I think the problem is NT. It works fine on Windows 2000.
NT is the problem...
System Requirements
Supported Operating Systems: Windows 2000; Windows Server 2003; Windows XP
You can download and install SubInACL.exe on the following operating systems:
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows XP Professional
Windows Server 2003, Web Edition
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition
System Requirements
Supported Operating Systems: Windows 2000; Windows Server 2003; Windows XP
You can download and install SubInACL.exe on the following operating systems:
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows XP Professional
Windows Server 2003, Web Edition
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition
ASKER
Hi,
It worked ver well. let me ask you one more thing then i am okey.fisrt i translate security by add option ( ADMT ). then i run the subinacl. finally i run security translator with remove option to remove entriers to ntdomain. In this point i had administrator ( nt\administrator ) and administrator( ad\administrator). same with the domain admins golbal group.
Now how can i get rif of administrator(nt\administr ator ) and domain admins(nt\domain admins ) entries
thanks lot
F.
It worked ver well. let me ask you one more thing then i am okey.fisrt i translate security by add option ( ADMT ). then i run the subinacl. finally i run security translator with remove option to remove entriers to ntdomain. In this point i had administrator ( nt\administrator ) and administrator( ad\administrator). same with the domain admins golbal group.
Now how can i get rif of administrator(nt\administr
thanks lot
F.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, it worked fine.
jus to confirm my strategy. i am gonna make morre test with real data but ;
i migrate server
security translation with add option,
subinacl to translate administartor/ domain admins etc
security translation with remove
subinacl with change domain option.
thanks
F.
jus to confirm my strategy. i am gonna make morre test with real data but ;
i migrate server
security translation with add option,
subinacl to translate administartor/ domain admins etc
security translation with remove
subinacl with change domain option.
thanks
F.
Looks good to me.
Good luck :-)
Good luck :-)
ASKER
thanks
F.
F.
The solution is to use a command line utility called Subinacl.exe with the /migratedodomain switch. It can scan share permissions and ntfs permissions; where it finds olddomain\domain admins, it will add newdomain\domain admins in the same way as ADMT security translation does for other groups.
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en