ADMT file access issue recent files

After migration the workstation and a user using ADMT
 
I can't access the physical files that were  recent  in Excel and MS Word

the files are physically reside on the network file server,

I have migrated the user and his workstation and also run the security profile wizard,


Now :

 1- If I log on to the new domain with the same workstation, I have no access to shared files , I even tried  accessing these specific files  without logging to the profile directly but by mapping a drive letter from the administrator local account, also can`t view them!

2- If I log on to the new domain  with different workstation I am able to access the shared files

This issue is only affecting the files that had a "recent" link , I check the permission on files and both domain account have full permission.

Any clue! I can access the files  mapping any computer but not the one that have the profile migrated!!
Abbas AliBaBaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
ADMT keeps a detailed log of every action that you perform when you migrate resources between Active Directory domains. Errors that occur during the migration process are noted in the migration log, although they might not produce a warning message in ADMT. Examining the migration log after a migration is a good way to verify that all tasks were completed successfully.  The log files are created in the Windows\ADMT\Logs folder on the computer where ADMT is installed.

 I was thinking of SID History...When you migrate an object to another domain, the object is assigned a new SID. Because you assign permissions to objects based on SIDs, when the SID changes, the user loses access to that resource until you can reassign permissions. When you use ADMT to migrate objects between domains in the same forest, the SID history is automatically retained. In this way, the SID from the source domain remains as an attribute of the object after the object is migrated to the target domain.

May be good to catch the ADMT v3 Migration Guide (should be easily googled) - see
Using SID History to Preserve Resource Access            
Migration of All User Accounts            
Translating Security in Add Mode      

The best practice for granting access to resources is to use global groups to arrange users, and domain local groups to protect resources. Place global groups into a domain local group to grant the members of the global group access to the resource. A global group can only contain members from its own domain. When a user is migrated between domains, any global groups to which the user belongs must also be migrated. This ensures that users can continue to access resources that are protected by discretionary access control lists (DACLs) referring to global groups. After migrating an account and maintaining the SID history of the source domain account, when a user logs on to the target domain, both the new SID and the original SID from the SID history attribute are added to the access token of the user. These SIDs determine the local group memberships of the user. The SIDs of the groups of which the user is a member are then added to the access token, together with the SID history of those groups.

Resources within the source and target domains resolve their ACLs to SIDs and then check for matches between their ACLs and the access token when granting or denying access. If the SID or the SID history matches, access to the resource is granted or denied, according to the access specified in the ACL. If the resource is in the source domain and you have not run security translation, it uses the SID history of the user account to grant access.

You can also preserve the original SID for global groups and universal groups in the SID history of the global group or universal group in the target domain. Because local group memberships are based on SIDs, when you migrate the SID to the SID history of the global group or universal group in the target domain, the local group memberships of the global group or universal group are preserved automatically.

SID history is used for:
•      Roaming user profile access
•      Certification authority access
•      Software installation access
•      Resource access

If you are not using SID history for resource access, you still need to migrate SID history to facilitate access to those items.
0
Abbas AliBaBaAuthor Commented:
thank you fore the reply, but it is not helping, it is  something corrupted on the loacal computer  related to the recent files, I do migrate global user and this is not the forst time I am migrating!

indly  read again the issue description!


It is a not understandable  , how come I  can access the files ( indicated as recent and MRU files)  on the   file server share from any other computers with the migrated user credential but not from the migrated computer!!  , this is the question

there is no SID history issue: I can access the files from any other computer on the file share but not from the computer that has the user profile, even if I create another profile,
0
Abbas AliBaBaAuthor Commented:
sorry for the typo, I am going to corrected

Thank you for the reply, but it is not helping, it looks like the issue  is related  to something corrupted on the local computer  in regards to the recent files, I did migrate global user and this is not the first time I am migrating!

Kindly  read again the issue description!


to me this issue is totally confusing and doesn't make a sense, here is the exact question:

((((  How come I  can access the problem  files  located on the  file server share from any other computers with the new migrated user credential on the new domain  but not from the migrated computer!!  )))))  

is like:
from migrated Computer
c:\whoami
CA\Abbas

C:\>dir \\fileserver\test
file01.txt
file03.txt

from any other computer:
c:\>whoami
CA\abbas

C:\>Dir \\fileserver\test

file01.txt
file02.txt
file03.txt
file04.txt

how could that happened!!!


there is no SID history issue: I can access the files from any other computer to the file share but not from the computer that has the user profile, even if I create another profile, even if I map a drive letter fro other profile with the same user name "CA\abbas"

Regards,
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

btanExec ConsultantCommented:
noted, do understand the issue.  just to take a step back and see any specific or common errors that can shed hints e.g. from admt log/event log or the sid history or user profile permission migration locally so that troubleshooting can be more targeted.

access denied from share is definitely dealing with permission issues and specific to this existing same machine - which is why we need to verify the user, group and machine rights.

So I was thinking...

a) We can run AccessChk  to know on the problematic machine and the alright machine - sieve the "Additional" privileges missing @ http://technet.microsoft.com/en-us/sysinternals/bb664922
> what kind of accesses specific users or groups have to that resource
> what kind of accesses right is needed for that resource

and also to verify (again) by running AccessEnum (UI) to list out the shared folder permission needed and its subfolder etc. @ http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

If there are discrepancies, at least we know what is the so called "privileges" needed but if all privileges are given and same for the user, and their group...then I am suspecting the account that run the ADMT on that problematic machine may need to be review back...I was seeing this "required" checks in
@ http://support.microsoft.com/default.aspx?scid=KB;en-us;260871&

Trusts
-Configure the source domain to trust the target domain.
-Configure the target domain to trust the source domain.

Groups
-Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.
-Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
-Create a new local group in the source domain called Source Domain$$$ (this group should have no members).

Auditing
-Enable auditing for the success and failure of user and group management on the source domain.
-Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.

....run ADMT with an account that has the following rights:
-Domain Administrator rights in the target domain
-Is a member of the Administrators group in the source domain
-Administrator rights on each computer you migrate
-Administrator rights on each computer on which you translate security

Therefore, logging into the PDC that is the FSMO role holder in the target domain with the source domain\Administrator account suffices, assuming that the source domain\Domain Administrators group belongs to each computer's Administrators group.... Eventually machine being moved has TARGET\Domain Admins as members of the local administrator group
0
Abbas AliBaBaAuthor Commented:
Thank you for the hints!

I figure it out, it is Offline files issue!

The old domain have a gpo for off line folder to look for the computer drive first
the new domain have a gpo for off line folder to look for the network first

the update of the recent files were not committed to the network (then it has the latest update)
so the computer knows that  it has the latest update of files and does not allow you to access them from the network ( as defined in the new domain and even does not allow to view the old file)

now I created a GPO at old domain , to update files upon log off, so the computer and network off line files are in sync .

Regards,

ABBAS
0
btanExec ConsultantCommented:
Thanks glad it is solved.

Actually when checking back in forum, I saw other mentioning ADMT can migrate user profiles including Offline Files. If the offline files sync fails after migration, we can use a tool called Csccmd.exe to refresh the CSC database by re-pointing the share to
the new server.

http://offlinefiles.blogspot.sg/2010/10/recovering-offline-files-cache-csccmd.html?m=1
0
Abbas AliBaBaAuthor Commented:
Good to know and I have learned some resourceful information while figuring out the solution,

Thank you for getting to speed for very limited time!

Regards,

ABBAS
0
Abbas AliBaBaAuthor Commented:
Just a side notes: yes ADMT an migrate user profiles including Offline Files, but the offline configuration has to be correct, in my case they don't match, on the new domain the policy check the network files first , and since it is an older version then it doesn't let you see them (not found), then what i did today, I Disable Offline Files from the Sync Center , then I was able to see the files!, so interesting, I have touched off line folders setting for years!
0
btanExec ConsultantCommented:
Thanks for sharing :)
0
Abbas AliBaBaAuthor Commented:
Temp Comment
Dim strComputer, objWMIService,strip1,intProcessID,setEnableDisable,objProcess,strcmdE,strcmdD
Dim  objShell,strCogConf,strComputer1,strComputer2,intReturn,strcmd,objConfig,objStartup
On Error Resume Next  
Const wbemFlagReturnImmediately = &h10  
Const wbemFlagForwardOnly = &h20  
Const SW_NORMAL = 0 '  Hide

Set objShell = CreateObject("WScript.Shell")
arrComputers = Array("strNode01","strNode02")  
strpar ="TTN__Services"
strcmdE= "opctemplate -e " & strpar
'wscript.echo strcmdE
strcmdD= "opctemplate -d " & strpar
'wscript.echo strcmdD
            
strComputer01="strNode01"
strComputer02="strNode02"

For Each strComputer In arrComputers  
      Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate," & "authenticationLevel=pktPrivacy}!" & "\\" & strComputer & "\root\MSCluster")  
      If Err = 0  Then
             Set colItems = objWMIService.ExecQuery("SELECT * FROM MSCluster_NodeToActiveGroup", "WQL", _  
                                          wbemFlagReturnImmediately + wbemFlagForwardOnly)  
                  For Each objItem In colItems  
                  WScript.Echo "GroupComponent: " & objItem.GroupComponent  
                  WScript.Echo "PartComponent: " & objItem.PartComponent  
                  'WScript.Echo  
                  Next  
                  'strComputer = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
                  'strComputer = uCase(strComputer)
                  If (strComputer=strComputer01) Then
                        strcmd = strcmdE
                        setEnableDisable(strComputer,strcmd)
                        strcmd = strcmdD
                        strComputer = strComputer02
                        setEnableDisable(strComputer,strcmd)
                  Else
                        strComputer=strComputer02
                        strcmd = strcmdE
                        setEnableDisable(strComputer,strcmd)
                        strComputer=strComputer01
                        strcmd = strcmdD
                        setEnableDisable(strComputer,strcmd)
                  End If
      Else  
            WScript.Echo "ERROR: Unable to bind to WMI provider on " & strComputer & "."  
      End If  
Err.Clear  
Next

Function setEnableDisable(strComputer,strcmd)
Set objWMIService = GetObject _
   ("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
   Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = SW_NORMAL
Set objProcess = objWMIService.Get("Win32_Process")

intReturn = objWMIService.Create(strcmd, null, null, intProcessID)
If intReturn <> 0 Then
    Wscript.Echo "Process could not be created." & _
        vbNewLine & "Command line: " & strcmd & _
        vbNewLine & "Return value: " & intReturn
Else
    Wscript.Echo "Process created." & _
        vbNewLine & "Command line: " & strcmd & _
        vbNewLine & "Process ID: " & intProcessID
End If
End Function
0
Abbas AliBaBaAuthor Commented:
dim objFSO,objTextFile,strComputer,objWMIService,colItems,colNicConfigs,objNicConfig,objDictionary
dim adaptersetting,strFile1,CurrentDirectory,strIndex,strModel,a,i,UB,MAX,Myarray,strLine,j,sMyarray
dim strchecked,strDNSServerall,objItem,strDNSServerall_2,strDNSServerall_1,strline1
Const ForReading = 1
Const ForAppending = 8
Set objDictionary = CreateObject("Scripting.Dictionary")

'On Error Resume Next

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("WScript.Shell")
strComputer = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
strComputer = uCase(strComputer)
CurrentDirectory = objFSO.GetAbsolutePathName(".")
strFile1= CurrentDirectory & "\nectessing.csv"
wscript.echo strFile1
If objFSO.FileExists(strFile1) Then
objFSO.DeleteFile(strFile1)
End If
Set objTextFile = objFSO.CreateTextFile(strFile1,True)
strHeader="NIC_Index,NIC_Model,DNS_Entry_01,DNS_Entry_02,DNS_Entry_03,DNS_Entry_04,DNS_Entry_05,DNS_Entry_06,DNS_Entry_07,DNS_Entry_08,DNS_Entry_09,DNS_Entry_10"
WScript.Echo strHeader
objTextFile.Writeline strHeader
objTextFile.Close

            Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
            Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapter", "WQL", 48)
            For Each objItem In colItems


                  If objItem.AdapterType= "Ethernet 802.3" then
                  strIndex=""
                  strModel =""
                  strIndex= objItem.Index
                  strModel=objItem.ProductName
                   Set colNicConfigs = objWMIService.ExecQuery _
                   ("ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID='" _
                   & objItem.DeviceID & "'}" _
                   & " WHERE AssocClass=Win32_NetworkAdapterSetting",,48)
                        i=0
                        For Each objNicConfig In colNicConfigs
                        
                        adaptersetting= objNicConfig.DNSServerSearchOrder
                              
                        If Not IsNull(objNicConfig.DNSServerSearchOrder) Then
                                    strDNSServerall =""
                                    strDNSServerall_2=""
                                    strDNSServerall_1=""
                                    For Each strDNSServer In objNicConfig.DNSServerSearchOrder
                                          If i < 10 then
                                          strDNSServerall= strDNSServerall & strDNSServer & ","
                                          End If
                                    Next
                                    strDNSServerall_1 =left(strDNSServerall,(len(strDNSServerall)-1))
                                    strDNSServerall_2 =right(strDNSServerall_1,len(strDNSServerall_1))
                                    strline1= strIndex & "," & strModel & "," & strDNSServerall_2
                                    strDNSServerall=""
                        
                        objDictionary.add i,strline1
                        strline1=""
                        End If
                        i=i+1
                        Next
                        'objTextFile.Close
                  End If
            Next      

For Each elem In objDictionary
'WScript.Echo elem & " "& objDictionary(elem)
strline = objDictionary(elem)
Myarray=Split(strline,",")
strline=""
Max= 11
      If Ubound(Myarray) <11 Then
             UB=Ubound(Myarray)
             REDIM Preserve Myarray(Max)
        For i=UB+1 to Max
              Myarray(i)="No_Data"
       Next
       End If
      ' Wscript.echo "######################"
       strchecked=""
       For i=0 to Max
              'Myarray(i)
             'Wscript.echo Myarray(i)
             strchecked = strchecked + "," & Myarray(i)
       Next
       Myarray=""
       strchecked =right(strchecked,(len(strchecked)-1))
       Wscript.echo strchecked
       Set objTextFile = objFSO.openTextFile(strFile1,8,True)
       objTextFile.Writeline      strchecked
       objTextFile.Close
       strchecked=""
      
Next
'################################
objFSO=""
objTextFile=""
strComputer=""
objWMIService=""
colItems=""
colNicConfigs=""
objNicConfig=""
adaptersetting=""
strFile1=""
CurrentDirectory=""
0
Abbas AliBaBaAuthor Commented:
TBD
0
Abbas AliBaBaAuthor Commented:
Dim strComputer, objWMIService,strip1,intProcessID,objProcess,strcmdE,strcmdD
Dim  objShell,strCogConf,strComputer1,strComputer2,intReturn,strcmd,objConfig,objStartup
Dim objExec,strOutput,strComputer01,strComputer02
'On Error Resume Next  
Const wbemFlagReturnImmediately = &h10  
Const wbemFlagForwardOnly = &h20  
Const SW_NORMAL = 0 '  Hide
Const HIDDEN_WINDOW = 0

arrComputers = Array("w2k3-cluster1","w2k3-cluster2")  
strpar ="CIBC_BBCP_Cognos_TM1_Services"
strcmdE= "Net start spooler "
'wscript.echo strcmdE
strcmdD= "Net stop spooler " 
'wscript.echo strcmdD
strcmdchk = "opctemplate -l"

strComputer01=arrComputers(0)
strComputer02=arrComputers(1)

For Each strComputer1 In arrComputers  
    Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate," & "authenticationLevel=pktPrivacy}!" & "\\" & strComputer1 & "\root\MSCluster")
      If Err = 0  Then
      strComputer1=strComputer
             Set colItems = objWMIService.ExecQuery("SELECT * FROM MSCluster_NodeToActiveGroup", "WQL", _  
                                          wbemFlagReturnImmediately + wbemFlagForwardOnly)  
                  For Each objItem In colItems  
                  WScript.Echo "GroupComponent: " & objItem.GroupComponent  
                  WScript.Echo "PartComponent: " & objItem.PartComponent  
                  'WScript.Echo  
                  Next  
                 
                  If (strComputer=strComputer01) Then
                       
                        'if not getPolicyStatus <> "enabled" then
                          strcmd = strcmdE
                        setEnableDisable strComputer,strcmd
                         strcmd = strcmdD
                        strComputer = strComputer02
                        setEnableDisable strComputer,strcmd
                        'End If
                  Else
                       ' if getPolicyStatus <> "enabled" then
                        strComputer=strComputer02
                        strcmd = strcmdE
                        setEnableDisable strComputer,strcmd
                        strComputer=strComputer01
                         strcmd = strcmdD
                        setEnableDisable strComputer,strcmd
                       ' End If
                  End If
      Else  
            'WScript.Echo "ERROR: Unable to bind to WMI provider on " & strComputer & "."  
            vbscript.echo Err1
            Err1=0
      End If  
Err.Clear  
Next
'######################################################################
Function setEnableDisable(strComputer,strcmd)
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" _
    & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject( _
    "winmgmts:root\cimv2:Win32_Process")
      
intReturn = objProcess.Create(strcmd, null,  objConfig, intProcessID)
If intReturn <> 0 Then
    Wscript.Echo "Process could not be created." & _
        vbNewLine & "Command line: " & strcmd & _
        vbNewLine & "Return value: " & intReturn
Else
    Wscript.Echo "Process created." & _
        vbNewLine & "Command line: " & strcmd & _
        vbNewLine & "Process ID: " & intProcessID
End If
End Function

objWMIService.Get

'######################################################################
 REM Function getPolicyStatus
 REM Set objShell = WScript.CreateObject("WScript.Shell")
 REM Set objExec = objShell.Exec("opctemplate -l ")
 REM Do
     REM line = objExec.StdOut.ReadLine()
     REM strOutput = strOutput & line & vbcrlf
       
       REM if instr(strOutput, "enabled", 1) then
       REM strStatus = "enabled"
       REM Exit Loop
       REM End If
 REM Loop While Not objExec.Stdout.atEndOfStream

REM End Function
'######################################################################
0
btanExec ConsultantCommented:
thanks for sharing, maybe can share with short summary on the script
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.