Replace specific AD security groups when migrating folders to a new server
We use folder and server specific AD security groups to manage access to our shared folders, and need to replace some of the groups as we are migrating them to a new server.
The folder specific groupss are ServerA-dir-folder-rw, serverA-dir-folder-ro
The server specific groups is ServerA-dir-rw, ServerA-dir-ro
We need to rename the folder groups to ServerB-dir-folder-rw, serverB-dir-folder-ro - whch attributes should we rename - cn,name,samaccountname,etc
We need tor replace the server specific groups with ServerB-dir-rw, ServerB-dir-ro - we cannot rename those, as they are still in use on Server A. How do I replace these?
The issue is we have a lot of blocked inheritance down the folder structure, so we cant just replace them at the top level.
Thank you!
The folder specific groupss are ServerA-dir-folder-rw, serverA-dir-folder-ro
The server specific groups is ServerA-dir-rw, ServerA-dir-ro
We need to rename the folder groups to ServerB-dir-folder-rw, serverB-dir-folder-ro - whch attributes should we rename - cn,name,samaccountname,etc
We need tor replace the server specific groups with ServerB-dir-rw, ServerB-dir-ro - we cannot rename those, as they are still in use on Server A. How do I replace these?
The issue is we have a lot of blocked inheritance down the folder structure, so we cant just replace them at the top level.
Thank you!
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
renaming the group shouldn't cause any issues since it'll be referenced by either a SID or GUID. I think it's a SID for AD groups, essentially renaming the group shouldn't impact and it should automatically update the name of the group on the file server when it references it again.
If it were me, I'd create a group, assign it to a folder, rename it to confirm it still works as expected and then do your live groups.
Regards
Alex
If it were me, I'd create a group, assign it to a folder, rename it to confirm it still works as expected and then do your live groups.
Regards
Alex
Hi Alex,
Thanks for the quick response. I suppose I can test that, and see which attributes get renamed and which don't, and see if I can then set any remaining ones manually.
Any ideas on how to replace the groups that cannot be renamed as they are still in use on the other server? Basically something that can scan the directory, find a specific group and replace it with its counterpart. As I said, there is a lot of blocked inheritance, so we can't just do it at the top level folder.
Thanks for the quick response. I suppose I can test that, and see which attributes get renamed and which don't, and see if I can then set any remaining ones manually.
Any ideas on how to replace the groups that cannot be renamed as they are still in use on the other server? Basically something that can scan the directory, find a specific group and replace it with its counterpart. As I said, there is a lot of blocked inheritance, so we can't just do it at the top level folder.
no matter server specific / folder specific , groups are stored in AD, so you can rename it and suggestion here is to use some generic name so that you don't need to rename as server name / folder name changes
U can rename groups, it will not break any access as SID won't get changed by renaming, right click group and click rename
May be you can use PowerShell for that
If you opt for rename, I don't see any need for replacement of groups
Still if you want replacement, you can use Subinacl / SetACL tool which can take folder ownership / set new acl without breaking inheritance or existing access
https://www.experts-exchange.com/articles/17526/Windows-File-Server-Folder-ownership-problems-and-resolution.html
U can rename groups, it will not break any access as SID won't get changed by renaming, right click group and click rename
May be you can use PowerShell for that
If you opt for rename, I don't see any need for replacement of groups
Still if you want replacement, you can use Subinacl / SetACL tool which can take folder ownership / set new acl without breaking inheritance or existing access
https://www.experts-exchange.com/articles/17526/Windows-File-Server-Folder-ownership-problems-and-resolution.html
Any ideas on how to replace the groups that cannot be renamed as they are still in use
You're not understanding, if you test it with a new group, verify it still works, it makes zero difference whether they are in use or not due to the fact the SID will be dealing with the communication. You can rename a live group without impacting.
Regards
Alex
I have done some testing. Using powershell:
Rename-ADObject -identity "cn=ServerA_folder_rw.....
The only issue I came across is it did not change the SamAccountName. I changed the SamAccountName manually in ADUC. The SID and ObjectGUID were not affected.
Is there a reason for the SamAccount name not changing initially?
Rename-ADObject -identity "cn=ServerA_folder_rw.....
The only issue I came across is it did not change the SamAccountName. I changed the SamAccountName manually in ADUC. The SID and ObjectGUID were not affected.
Is there a reason for the SamAccount name not changing initially?
Use set-adgroup as well as rename-adobject
Set-ADGroup GroupOldName -SamAccountName GroupNewName
You'd need to do this for all the groups you want to rename. If you give me your naming convention or a source to work from I can script it.
Regards
Alex
Set-ADGroup GroupOldName -SamAccountName GroupNewName
You'd need to do this for all the groups you want to rename. If you give me your naming convention or a source to work from I can script it.
Regards
Alex
Thank you. I think the renaming part is clear. I will spilt the replacement part to a new question. The reason why we can't rename the server specific groups is they are still needed with their old names on the old server. The folder specific groups we will rename, as the entire folder is moving and will no longer exist on the old server. Thank you so much for helping with this!
Premium Content
You need an Expert Office subscription to comment.Start Free Trial