?
Solved

administrator migration

Posted on 2007-10-17
12
Medium Priority
?
576 Views
Last Modified: 2013-12-28
Hi,
 i have shared folders on a server in nt domain. and unfortunaltely nt domain administrator is the acl list for some reason. when i perform security translation as a part of nt migration to active directory, i had no problem except the fact that it doesnt translate security related administrator account in nt domain. to start with ,  i figure that since admt doesnt migrate local buil-in account, it can not also translae security related with this accout.
is there any way to overome this issue. ?

thanks

Fiyona

Thanks
0
Comment
Question by:fiyona
  • 6
  • 6
12 Comments
 
LVL 10

Expert Comment

by:Darylx
ID: 20093818
I've had this problem.  As you say, ADMT doesn't migrate built in groups.

The solution is to use a command line utility called Subinacl.exe with the /migratedodomain switch.  It can scan share permissions and ntfs permissions; where it finds olddomain\domain admins, it will add newdomain\domain admins in the same way as ADMT security translation does for other groups.

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

0
 
LVL 10

Expert Comment

by:Darylx
ID: 20093890
Here's some examples:  Old domain is called abc and new domain is called xyz

subinacl /share  \\servername\* /migratetodomain=abc=xyz  (modifies share permissions on all shares on 'servername')

subinacl /printer  \\servername\* /migratetodomain=abc=xyz  (modifies printer permissions)

subinacl /subdirectories  C:\* /migratetodomain=abc=xyz  (modifies ntfs permissions on all files/subdirectories on the C: drive)
0
 

Author Comment

by:fiyona
ID: 20096763
Hi

thanks for the answer. I was going to test it but i am having some issue with my envronment.  I have insalled this subinacl on my NTbox and when i type the command subinacl /share  \\servername\* /migratetodomain=abc=xyz  or subinacl /subdirectories  C:\* /migratetodomain=abc=xyz, i am getting this error message saying that " the procedure entry point getfilesizeEx couldnt be located in the dynamic link library kernel2.dll. do i need to make some confiuration. maybe it is just NT problem.

and do i need to run this command after performing security translation on the server or before .

thanks.

Fiyona
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:fiyona
ID: 20096974
Hi,

Finally i made some test. I didnt have the problem with windows2000. but when run the command subinacl /share  \\servername\* /migratetodomain=abc=xyz. it really translate ntdomain\admins to addomain\admins. No problem, thanks to you.

But when i type subinacl /subdirectories  C:\* /migratetodomain=abc=xyz  , it doesnt translate.

can you think of any reason as to why it can not do it when it comes to NTFS .

thanks

F.
0
 

Author Comment

by:fiyona
ID: 20096991
Sorry again, i ve just run the command again, this time it did translate.

tomorrow i am going to make it more test and let you know but thanks again as it saves me lots of time.

Fiyona
0
 
LVL 10

Expert Comment

by:Darylx
ID: 20099395
I think the problem is NT.  It works fine on Windows 2000.
0
 
LVL 10

Expert Comment

by:Darylx
ID: 20099401
NT is the problem...

System Requirements
Supported Operating Systems: Windows 2000; Windows Server 2003; Windows XP

You can download and install SubInACL.exe on the following operating systems:

Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows XP Professional
Windows Server 2003, Web Edition
Windows Server 2003, Standard Edition
Windows Server 2003, Enterprise Edition
Windows Server 2003, Datacenter Edition
0
 

Author Comment

by:fiyona
ID: 20100991
Hi,

It worked ver well. let me ask you one more thing then i am okey.fisrt i translate security by add option ( ADMT ). then i run the subinacl. finally i run security translator with remove option to remove entriers to ntdomain. In this point i had administrator ( nt\administrator ) and administrator( ad\administrator). same with the domain admins golbal group.

Now how can i get rif of administrator(nt\administrator ) and domain admins(nt\domain admins ) entries

thanks lot
F.
0
 
LVL 10

Accepted Solution

by:
Darylx earned 2000 total points
ID: 20101096
You could try the /changedomain switch (test it first; I haven't used it).
It should try to replace NT\administrator with AD\administrator.  It should see that AD\administrator is already there and pop up an error saying it's already there.


"/changedomain=OldDomainName=NewDomainName
Replaces all ACEs with an SID from OldDomainName with the equivalent SID found in NewDomainName.

/migratetodomain=SourceDomain=DestinationDomain
Adds ACEs found in SourceDomain for the specified object to DestinationDomain, while preserving the ACEs in SourceDomain. "
0
 

Author Comment

by:fiyona
ID: 20101189
Thanks, it worked fine.

jus to confirm my strategy. i am gonna make morre test with real data but ;

i migrate server
security translation with add option,
subinacl to translate administartor/ domain admins etc
security translation with remove
subinacl with change domain option.

thanks

F.
0
 
LVL 10

Expert Comment

by:Darylx
ID: 20101643
Looks good to me.  

Good luck :-)
0
 

Author Comment

by:fiyona
ID: 20102783
thanks

F.

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question