Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Moving a user from one DC to another

Posted on 2010-11-29
12
Medium Priority
?
1,338 Views
Last Modified: 2012-05-10
    We have a total of 2 serves in our network, they are both domain controllers. The first one has Server 2003, Standard, service pack 2. The second one has Server 2008, 64-bit, Standard, service pack 2.
     I want to move a user from the first DC to the other. At first I tried cutting and pasting but then I got a warning pop-up telling me "Moving objects in Active Directory Domain Services can prevent your existing system from working the way it was designed..." So I did not copy/paste it. Then I saw I could also "move" it. So I moved it and I ddin't get any warning pop-up. So I thought all is well.
     The problem is when I'm now logged in as this user I cannot see the network.
     Is there any way I can cut/copy/move/transfer/(whatever you want to call it) a user from one DC to another without having this issue?
0
Comment
Question by:john8217
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34232612
You don't move users between domain controllers.  Active directory uses multi-master replication so users you create on DC1 should replicate to DC2 automatically.  If they are in the same site the replication will happen in 15-20 seconds.

Check your event logs and use tool like dcdiag and repadmin to verify the health of your DCs.

Thanks


Mike
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34232624
Are the servers in two seperate doamins?

It sounds like you are just moving the user from one OU to another. If this is the case the warning is just saying that if you have any GPOs applied in one OU they may not be applied to the new OU you are moving it to. Or the new OU may have a new policy.
0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34232714
As KenMcF stated, you cannot move users from one DC to another. I'm not quite sure what you have been doing. Probably you moved the user within dsa.msc.
Run rsop.msc on the client side before and after the moving to see if there have been changes in settings.
You can list the applied GPOs with gpresult /R in the section
  Applied Group Policy Objects
  -----------------------------

Open in new window

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:john8217
ID: 34232927
    Yes, KenMcF, now that you mentioned it I think that is what happened. I moved him from one OU to another OU (I'm obviously an Active Directory newbie).
     Is there a way to move him from one OU to another and just have the policies of the new OU be applied to him?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34232938
Are the OU's nested or are they separate OU's.  If they are separate when you move him to the new OU the Group policies linked at the previous OU should not apply anymore.

Thanks

Mike
0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34232952
Depends on where your GPOs linked to the OUs.
Normally, all GPOs that are defined in the hierachy are applied. However, you can use GPO WMI filtering to make exceptions.  
Another very easy thing is: just take away the user's rights to read the GPO. If he can't read it, he can't apply it.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34232966
Yes, when you move a user from one OU to another the policies from the old OU will not be applied just the policies that are linked to the new OU the user is moving into. That is why you are getting the warning. SO depending on how your OU structure is setup this may not be a problem. So just be aware that the polcies for that user account can change if moved. Like Fr0nk said you can use gpresult to see what is being applied or you can use the Group Policy Management console.

0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34232995
KenMcF: The problem is, when he linked it to the domain, it will be applied anyways. Or in the worst case he defined it in the default domain policy ;)

So, first figure out which GPO is causing this, look where it is linked, evaluate if the user is therefore applying it, disable it with any of the above mentioned approaches :)

0
 

Author Comment

by:john8217
ID: 34233516
    The two OUs are not nested (so I guess there should be no problem, but there still is).
     I like fr0nk's suggestions:
     1) Normally, all GPOs that are defined in the hierachy are applied. However, you can use GPO WMI filtering to make exceptions.  
     2) Another very easy thing is: just take away the user's rights to read the GPO. If he can't read it, he can't apply it.
     Um, how do I go about doing either of these things?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 34233610
Number 2 is also known as security filtering, great step by step with screenshots here  http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

WMI filters can be a little more complicated depending on the filter.

There is also Item level targeting with group policy preferences.  The GP team has a good overview of all three here:   http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx

Thanks

Mike
0
 
LVL 4

Accepted Solution

by:
fr0nk earned 1000 total points
ID: 34233642
I've made you some screenshots.

Hierarchy
In the first picture you see 2 relevant policies: LocalAdmins (defined at domain level) and JohnsGPO (defined at OU=IT Guys).
If you specify a setting in a GPO and link it at domain level, it will be inherited by every account in every OU (IT Guys, Other People....).
If you specify a setting in a GPO and link it at the OU level, it will be applied by the users in the OU only.

If you specify the same setting at domain level and OU level, the OU setting wins.
exceptions: you enforce (rightclick at GPO -> enforce) on a higher level.

When you want to start from "scratch" in a OU you can "block inheritence" for this OU. However, if the enforce checkbox is set, the GPO will be applied anyways.

So you can do 2 things: block the inheritence, and ensure the GPO isn't linked to the OU
or
Use the  security settings to specifically deny the user the "read" right on the GPO.
 GPO_Rights
Kind regards.
0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34233663
additionally, as mkline71 mentioned (thank you) you can use the more complicated WMI filtering. You should use this approach for a final solution, not for troubleshooting since creating WMI filters is kindof... not pleasent ;P

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question