Solved

Moving a user from one DC to another

Posted on 2010-11-29
12
1,269 Views
Last Modified: 2012-05-10
    We have a total of 2 serves in our network, they are both domain controllers. The first one has Server 2003, Standard, service pack 2. The second one has Server 2008, 64-bit, Standard, service pack 2.
     I want to move a user from the first DC to the other. At first I tried cutting and pasting but then I got a warning pop-up telling me "Moving objects in Active Directory Domain Services can prevent your existing system from working the way it was designed..." So I did not copy/paste it. Then I saw I could also "move" it. So I moved it and I ddin't get any warning pop-up. So I thought all is well.
     The problem is when I'm now logged in as this user I cannot see the network.
     Is there any way I can cut/copy/move/transfer/(whatever you want to call it) a user from one DC to another without having this issue?
0
Comment
Question by:john8217
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34232612
You don't move users between domain controllers.  Active directory uses multi-master replication so users you create on DC1 should replicate to DC2 automatically.  If they are in the same site the replication will happen in 15-20 seconds.

Check your event logs and use tool like dcdiag and repadmin to verify the health of your DCs.

Thanks


Mike
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34232624
Are the servers in two seperate doamins?

It sounds like you are just moving the user from one OU to another. If this is the case the warning is just saying that if you have any GPOs applied in one OU they may not be applied to the new OU you are moving it to. Or the new OU may have a new policy.
0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34232714
As KenMcF stated, you cannot move users from one DC to another. I'm not quite sure what you have been doing. Probably you moved the user within dsa.msc.
Run rsop.msc on the client side before and after the moving to see if there have been changes in settings.
You can list the applied GPOs with gpresult /R in the section
  Applied Group Policy Objects
  -----------------------------

Open in new window

0
 

Author Comment

by:john8217
ID: 34232927
    Yes, KenMcF, now that you mentioned it I think that is what happened. I moved him from one OU to another OU (I'm obviously an Active Directory newbie).
     Is there a way to move him from one OU to another and just have the policies of the new OU be applied to him?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34232938
Are the OU's nested or are they separate OU's.  If they are separate when you move him to the new OU the Group policies linked at the previous OU should not apply anymore.

Thanks

Mike
0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34232952
Depends on where your GPOs linked to the OUs.
Normally, all GPOs that are defined in the hierachy are applied. However, you can use GPO WMI filtering to make exceptions.  
Another very easy thing is: just take away the user's rights to read the GPO. If he can't read it, he can't apply it.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34232966
Yes, when you move a user from one OU to another the policies from the old OU will not be applied just the policies that are linked to the new OU the user is moving into. That is why you are getting the warning. SO depending on how your OU structure is setup this may not be a problem. So just be aware that the polcies for that user account can change if moved. Like Fr0nk said you can use gpresult to see what is being applied or you can use the Group Policy Management console.

0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34232995
KenMcF: The problem is, when he linked it to the domain, it will be applied anyways. Or in the worst case he defined it in the default domain policy ;)

So, first figure out which GPO is causing this, look where it is linked, evaluate if the user is therefore applying it, disable it with any of the above mentioned approaches :)

0
 

Author Comment

by:john8217
ID: 34233516
    The two OUs are not nested (so I guess there should be no problem, but there still is).
     I like fr0nk's suggestions:
     1) Normally, all GPOs that are defined in the hierachy are applied. However, you can use GPO WMI filtering to make exceptions.  
     2) Another very easy thing is: just take away the user's rights to read the GPO. If he can't read it, he can't apply it.
     Um, how do I go about doing either of these things?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 34233610
Number 2 is also known as security filtering, great step by step with screenshots here  http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

WMI filters can be a little more complicated depending on the filter.

There is also Item level targeting with group policy preferences.  The GP team has a good overview of all three here:   http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx

Thanks

Mike
0
 
LVL 4

Accepted Solution

by:
fr0nk earned 250 total points
ID: 34233642
I've made you some screenshots.

Hierarchy
In the first picture you see 2 relevant policies: LocalAdmins (defined at domain level) and JohnsGPO (defined at OU=IT Guys).
If you specify a setting in a GPO and link it at domain level, it will be inherited by every account in every OU (IT Guys, Other People....).
If you specify a setting in a GPO and link it at the OU level, it will be applied by the users in the OU only.

If you specify the same setting at domain level and OU level, the OU setting wins.
exceptions: you enforce (rightclick at GPO -> enforce) on a higher level.

When you want to start from "scratch" in a OU you can "block inheritence" for this OU. However, if the enforce checkbox is set, the GPO will be applied anyways.

So you can do 2 things: block the inheritence, and ensure the GPO isn't linked to the OU
or
Use the  security settings to specifically deny the user the "read" right on the GPO.
 GPO_Rights
Kind regards.
0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34233663
additionally, as mkline71 mentioned (thank you) you can use the more complicated WMI filtering. You should use this approach for a final solution, not for troubleshooting since creating WMI filters is kindof... not pleasent ;P

0

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now