Moving a user from one DC to another

    We have a total of 2 serves in our network, they are both domain controllers. The first one has Server 2003, Standard, service pack 2. The second one has Server 2008, 64-bit, Standard, service pack 2.
     I want to move a user from the first DC to the other. At first I tried cutting and pasting but then I got a warning pop-up telling me "Moving objects in Active Directory Domain Services can prevent your existing system from working the way it was designed..." So I did not copy/paste it. Then I saw I could also "move" it. So I moved it and I ddin't get any warning pop-up. So I thought all is well.
     The problem is when I'm now logged in as this user I cannot see the network.
     Is there any way I can cut/copy/move/transfer/(whatever you want to call it) a user from one DC to another without having this issue?
john8217Asked:
Who is Participating?
 
fr0nkConnect With a Mentor Commented:
I've made you some screenshots.

Hierarchy
In the first picture you see 2 relevant policies: LocalAdmins (defined at domain level) and JohnsGPO (defined at OU=IT Guys).
If you specify a setting in a GPO and link it at domain level, it will be inherited by every account in every OU (IT Guys, Other People....).
If you specify a setting in a GPO and link it at the OU level, it will be applied by the users in the OU only.

If you specify the same setting at domain level and OU level, the OU setting wins.
exceptions: you enforce (rightclick at GPO -> enforce) on a higher level.

When you want to start from "scratch" in a OU you can "block inheritence" for this OU. However, if the enforce checkbox is set, the GPO will be applied anyways.

So you can do 2 things: block the inheritence, and ensure the GPO isn't linked to the OU
or
Use the  security settings to specifically deny the user the "read" right on the GPO.
 GPO_Rights
Kind regards.
0
 
Mike KlineCommented:
You don't move users between domain controllers.  Active directory uses multi-master replication so users you create on DC1 should replicate to DC2 automatically.  If they are in the same site the replication will happen in 15-20 seconds.

Check your event logs and use tool like dcdiag and repadmin to verify the health of your DCs.

Thanks


Mike
0
 
KenMcFCommented:
Are the servers in two seperate doamins?

It sounds like you are just moving the user from one OU to another. If this is the case the warning is just saying that if you have any GPOs applied in one OU they may not be applied to the new OU you are moving it to. Or the new OU may have a new policy.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
fr0nkCommented:
As KenMcF stated, you cannot move users from one DC to another. I'm not quite sure what you have been doing. Probably you moved the user within dsa.msc.
Run rsop.msc on the client side before and after the moving to see if there have been changes in settings.
You can list the applied GPOs with gpresult /R in the section
  Applied Group Policy Objects
  -----------------------------

Open in new window

0
 
john8217Author Commented:
    Yes, KenMcF, now that you mentioned it I think that is what happened. I moved him from one OU to another OU (I'm obviously an Active Directory newbie).
     Is there a way to move him from one OU to another and just have the policies of the new OU be applied to him?
0
 
Mike KlineCommented:
Are the OU's nested or are they separate OU's.  If they are separate when you move him to the new OU the Group policies linked at the previous OU should not apply anymore.

Thanks

Mike
0
 
fr0nkCommented:
Depends on where your GPOs linked to the OUs.
Normally, all GPOs that are defined in the hierachy are applied. However, you can use GPO WMI filtering to make exceptions.  
Another very easy thing is: just take away the user's rights to read the GPO. If he can't read it, he can't apply it.
0
 
KenMcFCommented:
Yes, when you move a user from one OU to another the policies from the old OU will not be applied just the policies that are linked to the new OU the user is moving into. That is why you are getting the warning. SO depending on how your OU structure is setup this may not be a problem. So just be aware that the polcies for that user account can change if moved. Like Fr0nk said you can use gpresult to see what is being applied or you can use the Group Policy Management console.

0
 
fr0nkCommented:
KenMcF: The problem is, when he linked it to the domain, it will be applied anyways. Or in the worst case he defined it in the default domain policy ;)

So, first figure out which GPO is causing this, look where it is linked, evaluate if the user is therefore applying it, disable it with any of the above mentioned approaches :)

0
 
john8217Author Commented:
    The two OUs are not nested (so I guess there should be no problem, but there still is).
     I like fr0nk's suggestions:
     1) Normally, all GPOs that are defined in the hierachy are applied. However, you can use GPO WMI filtering to make exceptions.  
     2) Another very easy thing is: just take away the user's rights to read the GPO. If he can't read it, he can't apply it.
     Um, how do I go about doing either of these things?
0
 
Mike KlineConnect With a Mentor Commented:
Number 2 is also known as security filtering, great step by step with screenshots here  http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

WMI filters can be a little more complicated depending on the filter.

There is also Item level targeting with group policy preferences.  The GP team has a good overview of all three here:   http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx

Thanks

Mike
0
 
fr0nkCommented:
additionally, as mkline71 mentioned (thank you) you can use the more complicated WMI filtering. You should use this approach for a final solution, not for troubleshooting since creating WMI filters is kindof... not pleasent ;P

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.