NT4 to W2K3 Migration - Help w/ built-in groups

[TxJas]

The problem I am having is the inability to migrate built-
in global groups from the NT4 PDC. A lot of my file level
and share level security in the NT4 domain uses "Domain
Users" instead of "Everyone". I'm not asking how this can be done, but rather what my alternatives are.

My theory is that I've completely misunderstood something
fundamental about the migration process. Seems like this
is something that just about everyone would be complaining
about, but I can't find anything anywhere about this issue.

Here is the what I've done so far:

- Created a new Windows 2003 domain on a separate server.
- Setup the ADMTV2 via the Microsoft documentation
--this included the trust, auditing, domain admin perms,
etc.
- Created a test account in the NT4 domain
- Disabled SID Filtering
- Migrated all groups (other than NT4 built-in) to the new
domain w/ SID history
- Migrated the test user to the new domain w/ SID History

Here is where the problem occurs:

- Went to a Windows 2000 workstation that is part of the
NT4 domain and attempted to authenticate the migrated test
account to the new domain
- Logon successfull, but access to NT4 resources is limited
- Any share or folder that specifies a built-in global
group (i.e., Domain Users, Domain Admins) in the NT4
domain denies access to the migrated user.

I can go through each folder/share and add the new domain
equivalent of "Domain Users" to the permissions set, but
this will take tons of my time and will probably cause
problems even when I think I've got it right (loads of files/shares). Is there any way around this?

 

[markdmac]

OK, my NT4 skills are VERY rusty, but since you have the trust, I believe you should be able to add the Win2K Domain Users Group to the NT4 Domain Users Group membership list. That should grandfather them in.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[TxJas]

Thanks for your reply, but you cannot nest global groups. You can nest global groups in local groups (i.e., global Domain Admins group can be nested in local Administrators group). Doing this would still force me to add or change the ACL and share permissions throughout my network since the ACL/share specifies "Domain Users" instead of "Users".

I am looking at ADMT's "Security Translation Wizard" tool as a way of automating the process. The documentation on the tool dictates that the tool is used to change permissions on one or more servers after they have been migrated to the new domain. A test run of the tool seems to indicate that I could run this in the NT4 domain and have it add the necessary permissions. I would be using the tool out of spec, so I'm worried that I will only make the situation worse. Has anyone tried anything like this before?

 

[markdmac]

Yea, like I said my NT4 is really rusty. Sounds like you have a handle on it though.

I've only used ADMT to migrate the user accounts.

Good luck!

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[TxJas]

Thanks again markdmac. It's always a help to have someone else's eyes on an issue like this.

BTW, I also posted this topic in the Microsoft Newsgroup at

http://support.microsoft.com/newsgr...CLID=US&ICP=GSS3&sd=GN&id=fh;en-us;newsgroups

If anyone with this issue or anyone just interested in the outcome would like to read what Microsoft had to say, you can find it in this newsgroup. The subject heading is, "ADMTV2 Built-in Groups are headaches".

I am going to try and use the tool to add the necessary permissions in my NT4 domain. I will try and remember to post here when done.