Solved

Moving a user from one DC to another

Posted on 2010-11-29
12
1,289 Views
Last Modified: 2012-05-10
    We have a total of 2 serves in our network, they are both domain controllers. The first one has Server 2003, Standard, service pack 2. The second one has Server 2008, 64-bit, Standard, service pack 2.
     I want to move a user from the first DC to the other. At first I tried cutting and pasting but then I got a warning pop-up telling me "Moving objects in Active Directory Domain Services can prevent your existing system from working the way it was designed..." So I did not copy/paste it. Then I saw I could also "move" it. So I moved it and I ddin't get any warning pop-up. So I thought all is well.
     The problem is when I'm now logged in as this user I cannot see the network.
     Is there any way I can cut/copy/move/transfer/(whatever you want to call it) a user from one DC to another without having this issue?
0
Comment
Question by:john8217
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34232612
You don't move users between domain controllers.  Active directory uses multi-master replication so users you create on DC1 should replicate to DC2 automatically.  If they are in the same site the replication will happen in 15-20 seconds.

Check your event logs and use tool like dcdiag and repadmin to verify the health of your DCs.

Thanks


Mike
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34232624
Are the servers in two seperate doamins?

It sounds like you are just moving the user from one OU to another. If this is the case the warning is just saying that if you have any GPOs applied in one OU they may not be applied to the new OU you are moving it to. Or the new OU may have a new policy.
0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34232714
As KenMcF stated, you cannot move users from one DC to another. I'm not quite sure what you have been doing. Probably you moved the user within dsa.msc.
Run rsop.msc on the client side before and after the moving to see if there have been changes in settings.
You can list the applied GPOs with gpresult /R in the section
  Applied Group Policy Objects
  -----------------------------

Open in new window

0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:john8217
ID: 34232927
    Yes, KenMcF, now that you mentioned it I think that is what happened. I moved him from one OU to another OU (I'm obviously an Active Directory newbie).
     Is there a way to move him from one OU to another and just have the policies of the new OU be applied to him?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34232938
Are the OU's nested or are they separate OU's.  If they are separate when you move him to the new OU the Group policies linked at the previous OU should not apply anymore.

Thanks

Mike
0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34232952
Depends on where your GPOs linked to the OUs.
Normally, all GPOs that are defined in the hierachy are applied. However, you can use GPO WMI filtering to make exceptions.  
Another very easy thing is: just take away the user's rights to read the GPO. If he can't read it, he can't apply it.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34232966
Yes, when you move a user from one OU to another the policies from the old OU will not be applied just the policies that are linked to the new OU the user is moving into. That is why you are getting the warning. SO depending on how your OU structure is setup this may not be a problem. So just be aware that the polcies for that user account can change if moved. Like Fr0nk said you can use gpresult to see what is being applied or you can use the Group Policy Management console.

0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34232995
KenMcF: The problem is, when he linked it to the domain, it will be applied anyways. Or in the worst case he defined it in the default domain policy ;)

So, first figure out which GPO is causing this, look where it is linked, evaluate if the user is therefore applying it, disable it with any of the above mentioned approaches :)

0
 

Author Comment

by:john8217
ID: 34233516
    The two OUs are not nested (so I guess there should be no problem, but there still is).
     I like fr0nk's suggestions:
     1) Normally, all GPOs that are defined in the hierachy are applied. However, you can use GPO WMI filtering to make exceptions.  
     2) Another very easy thing is: just take away the user's rights to read the GPO. If he can't read it, he can't apply it.
     Um, how do I go about doing either of these things?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 34233610
Number 2 is also known as security filtering, great step by step with screenshots here  http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

WMI filters can be a little more complicated depending on the filter.

There is also Item level targeting with group policy preferences.  The GP team has a good overview of all three here:   http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx

Thanks

Mike
0
 
LVL 4

Accepted Solution

by:
fr0nk earned 250 total points
ID: 34233642
I've made you some screenshots.

Hierarchy
In the first picture you see 2 relevant policies: LocalAdmins (defined at domain level) and JohnsGPO (defined at OU=IT Guys).
If you specify a setting in a GPO and link it at domain level, it will be inherited by every account in every OU (IT Guys, Other People....).
If you specify a setting in a GPO and link it at the OU level, it will be applied by the users in the OU only.

If you specify the same setting at domain level and OU level, the OU setting wins.
exceptions: you enforce (rightclick at GPO -> enforce) on a higher level.

When you want to start from "scratch" in a OU you can "block inheritence" for this OU. However, if the enforce checkbox is set, the GPO will be applied anyways.

So you can do 2 things: block the inheritence, and ensure the GPO isn't linked to the OU
or
Use the  security settings to specifically deny the user the "read" right on the GPO.
 GPO_Rights
Kind regards.
0
 
LVL 4

Expert Comment

by:fr0nk
ID: 34233663
additionally, as mkline71 mentioned (thank you) you can use the more complicated WMI filtering. You should use this approach for a final solution, not for troubleshooting since creating WMI filters is kindof... not pleasent ;P

0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question