RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
Title: Migrating access rights from Novell/NDS to W2K3/AD with NDS migrator It's been my dream over ten years that NTFS would get similar permission feature to what has been in NetWare all these years. When a user has permissions to a given subfolder, it's almost always most logical that this subfolder (automatically or implicitly up to the root) would become visible to her. And vice versa, when she has no permissions to a subfolder, it would be logical that this subfolder is invisible to her. And it has been my dream for six years that the same would apply to AD, as has always been with NDS. While we are on the subject, another extremely handy feature of NDS would be most welcome in AD. That is, each OU would be a sec prin, so if you want to grant permissions to all people in the Sales OU, you wouldn't have to create a paraller sec group for that. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Wednesday, February 09, 2005 10:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Hi, clipclipclip Regards, Jorge PS.: I'm glad MS is going toward the permissions structure (with W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will be able to configure file system permissions through AD like that is possible with the NDS. The possibility of configuring permissions for the file system through GPOs is a nice feature but far from perfect. Also any thoughts on this are welcome.
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
Isn't that what Access-based Directory Enumeration do? This feature is not enabled by default in SP1, though. I haven't tried the feature yet so I can't verify it. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Wednesday, February 09, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor It's been my dream over ten years that NTFS would get similar permission feature to what has been in NetWare all these years. When a user has permissions to a given subfolder, it's almost always most logical that this subfolder (automatically or implicitly up to the root) would become visible to her. And vice versa, when she has no permissions to a subfolder, it would be logical that this subfolder is invisible to her. And it has been my dream for six years that the same would apply to AD, as has always been with NDS. While we are on the subject, another extremely handy feature of NDS would be most welcome in AD. That is, each OU would be a sec prin, so if you want to grant permissions to all people in the Sales OU, you wouldn't have to create a paraller sec group for that. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 09, 2005 10:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Hi, clipclipclip Regards, Jorge PS.: I'm glad MS is going toward the permissions structure (with W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will be able to configure file system permissions through AD like that is possible with the NDS. The possibility of configuring permissions for the file system through GPOs is a nice feature but far from perfect. Also any thoughts on this are welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
Where the hell have _YOU_ been, you little over-cooked Swede? :OD Great to hear from you! -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Sent: Wednesday, February 09, 2005 6:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Isn't that what Access-based Directory Enumeration do? This feature is not enabled by default in SP1, though. I haven't tried the feature yet so I can't verify it. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Wednesday, February 09, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor It's been my dream over ten years that NTFS would get similar permission feature to what has been in NetWare all these years. When a user has permissions to a given subfolder, it's almost always most logical that this subfolder (automatically or implicitly up to the root) would become visible to her. And vice versa, when she has no permissions to a subfolder, it would be logical that this subfolder is invisible to her. And it has been my dream for six years that the same would apply to AD, as has always been with NDS. While we are on the subject, another extremely handy feature of NDS would be most welcome in AD. That is, each OU would be a sec prin, so if you want to grant permissions to all people in the Sales OU, you wouldn't have to create a paraller sec group for that. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 09, 2005 10:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Hi, clipclipclip Regards, Jorge PS.: I'm glad MS is going toward the permissions structure (with W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will be able to configure file system permissions through AD like that is possible with the NDS. The possibility of configuring permissions for the file system through GPOs is a nice feature but far from perfect. Also any thoughts on this are welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
I've been somewhere in time... As usual ;) /The Swede - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, February 09, 2005 3:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Where the hell have _YOU_ been, you little over-cooked Swede? :OD Great to hear from you! -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Sent: Wednesday, February 09, 2005 6:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Isn't that what Access-based Directory Enumeration do? This feature is not enabled by default in SP1, though. I haven't tried the feature yet so I can't verify it. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Wednesday, February 09, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor It's been my dream over ten years that NTFS would get similar permission feature to what has been in NetWare all these years. When a user has permissions to a given subfolder, it's almost always most logical that this subfolder (automatically or implicitly up to the root) would become visible to her. And vice versa, when she has no permissions to a subfolder, it would be logical that this subfolder is invisible to her. And it has been my dream for six years that the same would apply to AD, as has always been with NDS. While we are on the subject, another extremely handy feature of NDS would be most welcome in AD. That is, each OU would be a sec prin, so if you want to grant permissions to all people in the Sales OU, you wouldn't have to create a paraller sec group for that. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 09, 2005 10:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Hi, clipclipclip Regards, Jorge PS.: I'm glad MS is going toward the permissions structure (with W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will be able to configure file system permissions through AD like that is possible with the NDS. The possibility of configuring permissions for the file system through GPOs is a nice feature but far from perfect. Also any thoughts on this are welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
Jimmy always sees his shadow around this time - Summit must be around the corner :-p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Wed 2/9/2005 6:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Where the hell have _YOU_ been, you little over-cooked Swede? :OD Great to hear from you! -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Sent: Wednesday, February 09, 2005 6:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Isn't that what Access-based Directory Enumeration do? This feature is not enabled by default in SP1, though. I haven't tried the feature yet so I can't verify it. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Wednesday, February 09, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor It's been my dream over ten years that NTFS would get similar permission feature to what has been in NetWare all these years. When a user has permissions to a given subfolder, it's almost always most logical that this subfolder (automatically or implicitly up to the root) would become visible to her. And vice versa, when she has no permissions to a subfolder, it would be logical that this subfolder is invisible to her. And it has been my dream for six years that the same would apply to AD, as has always been with NDS. While we are on the subject, another extremely handy feature of NDS would be most welcome in AD. That is, each OU would be a sec prin, so if you want to grant permissions to all people in the Sales OU, you wouldn't have to create a paraller sec group for that. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 09, 2005 10:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Hi, clipclipclip Regards, Jorge PS.: I'm glad MS is going toward the permissions structure (with W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will be able to configure file system permissions through AD like that is possible with the NDS. The possibility of configuring permissions for the file system through GPOs is a nice feature but far from perfect. Also any thoughts on this are welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
LOL! :P /J - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Jimmy always sees his shadow around this time - Summit must be around the corner :-p Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Wed 2/9/2005 6:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Where the hell have _YOU_ been, you little over-cooked Swede? :OD Great to hear from you! -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Sent: Wednesday, February 09, 2005 6:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Isn't that what Access-based Directory Enumeration do? This feature is not enabled by default in SP1, though. I haven't tried the feature yet so I can't verify it. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Wednesday, February 09, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor It's been my dream over ten years that NTFS would get similar permission feature to what has been in NetWare all these years. When a user has permissions to a given subfolder, it's almost always most logical that this subfolder (automatically or implicitly up to the root) would become visible to her. And vice versa, when she has no permissions to a subfolder, it would be logical that this subfolder is invisible to her. And it has been my dream for six years that the same would apply to AD, as has always been with NDS. While we are on the subject, another extremely handy feature of NDS would be most welcome in AD. That is, each OU would be a sec prin, so if you want to grant permissions to all people in the Sales OU, you wouldn't have to create a paraller sec group for that. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 09, 2005 10:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Hi, clipclipclip Regards, Jorge PS.: I'm glad MS is going toward the permissions structure (with W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will be able to configure file system permissions through AD like that is possible with the NDS. The possibility of configuring permissions for the file system through GPOs is a nice feature but far from perfect. Also any thoughts on this are welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
It seems Sakari's dream has come true. The SP1 docs cover this. http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/ov erview.mspx Look at 02_accessenum.doc AD you could have done this before though (if I understand the ask correctly) by removing list_contents from the parent, giving explicit perms to the child and enabling list object mode with the appropriate mod. For AD, this is old news. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Sent: Wednesday, February 09, 2005 6:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Isn't that what Access-based Directory Enumeration do? This feature is not enabled by default in SP1, though. I haven't tried the feature yet so I can't verify it. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Wednesday, February 09, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor It's been my dream over ten years that NTFS would get similar permission feature to what has been in NetWare all these years. When a user has permissions to a given subfolder, it's almost always most logical that this subfolder (automatically or implicitly up to the root) would become visible to her. And vice versa, when she has no permissions to a subfolder, it would be logical that this subfolder is invisible to her. And it has been my dream for six years that the same would apply to AD, as has always been with NDS. While we are on the subject, another extremely handy feature of NDS would be most welcome in AD. That is, each OU would be a sec prin, so if you want to grant permissions to all people in the Sales OU, you wouldn't have to create a paraller sec group for that. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 09, 2005 10:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Hi, clipclipclip Regards, Jorge PS.: I'm glad MS is going toward the permissions structure (with W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will be able to configure file system permissions through AD like that is possible with the NDS. The possibility of configuring permissions for the file system through GPOs is a nice feature but far from perfect. Also any thoughts on this are welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
Title: Migrating access rights from Novell/NDS to W2K3/AD with NDS migrator Hey Jorge - I see you've already got a whole list of replies with great tips on how to get around this ;-)) Fact is, it'sa well known restriction. Sure, NDS migrator could maybe add some more logic to figure out the correct permissions you really need, but as there is no real match to so many permissions that you have on the Novell FileSystem, thisis a tough one for larger and more complex environments truly leveraging the Novell OS's capabilities. As such I typically didn't use the ACL migration features and instead analysed the real security needsof the customer. Then I created the permissions as they make sense in NTFS via script. This also allows you to leverage inheritance on the NTFS side (as NDS migrator would typically just set explicit rights). Makes sense to do set the rights into an empy folder structure prior to copyingthe data, so that the files recieve the correct permissions. "By the way the following really is fun: Let's have a file with path U:\DIR1\SUBDIR1\README.TXT (from the example above)... Users that have explicit change or read permissions on the file README.TXT can not navigate to file with explorer BUT if they insert U:\DIR1\SUBDIR1\README.TXT into the RUN dialog box (start menu - run) NOTEPAD opens the file." = that's exactly what the "Bypass traverse checking" option is all about = the OS doesn't check permissions on the folders in the path, when you enter the full path to a file... (i.e. it skips/bybasses the security check... until it has traversed all folders and reaches the target object...) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Wednesday, February 09, 2005 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Hi, We are migrating from Novell and NT4 (single domain) to Windows 2003/AD. We are using Quest NDS Migrator to migrate files (INCL. permissions) from Novell File Server to Windows 2003 file server. SOURCE ENVIRONMENT: * Novell File Servers with Novell NDS * Windows NT4 domain * Windows 95/98 clients with the Novell client authenticate to the NDS and to the Windows NT4 domain TARGET ENVIRONMENT: * Windows 2003 AD domain * Windows 2003 File servers * ACLs on migrated data are assigned to AD domain local groups * AD users are members of the AD domain local groups and corresponding NT4 users are also members of the AD domain local groups We are experiencing the following issue: Take a Novell server with with a volume called VOL1 so that the UNC path is \\NOVELLSRV\VOL1 Beneath VOL1 the following directory structure exists: \\NOVELLSRV\VOL1\ DATA\ COMMON\ -- no trustees assigned! DIR1\ -- no trustees assigned! SUBDIR1 -- explicitely assigned trustee = GROUP1 SUBDIR2 -- explicitely assigned trustee = GROUP2 DIR2\ -- no trustees assigned! SUBDIR3 -- explicitely assigned trustee = GROUP3 SUBDIR4 -- explicitely assigned trustee = GROUP4 Users have a mapping U: to \\NOVELLSRV\VOL1\DATA\COMMON (the contents of COMMON is the same as U:) USER 1 is a member of GROUP1 USER 2 is a member of GROUP1 and GROUP4 Neither USER1 or USER2 is a member of GROUP2 or GROUP3!!! * When USER1 connects to U: he sees: U:\ DIR1\ -- no trustees assigned! SUBDIR1 -- explicitely assigned trustee = GROUP1 USER1 implicitely has the right to enter DIR1 (he sees nothing else) so that he's able to access the contents of SUBDIR1 * When USER2 connects to U: he sees: U:\ DIR1\ -- no trustees assigned! SUBDIR1 -- explicitely assigned trustee = GROUP1 DIR2\ -- no trustees assigned! SUBDIR4 -- explicitely assigned trustee = GROUP4 USER2 implicitely has the right (I think in Novell it is called File Scan) to enter DIR1 (he sees nothing else) so that he's able to access the contents of SUBDIR1 USER2 implicitely has the right (I think in Novell it is called File Scan) to enter DIR2 (he sees nothing else) so that he's able to access the contents of SUBDIR4 Quest NDS Migrator has not been configured with default ACLs so that NDS Migrator uses as default ACL DOMAIN ADMINS with Full Control USER1 and USER2 in the NDS has been matched with USER1 and USER2 in AD GROUP1, GROUP2, GROUP3 and GROUP4 have been migrated to AD including the memberships After the data is migrated to Windows 2003 the following issue occurs: The folder SUBDIR1 has an ACE explicitely defined to GROUP1 (equivalent to the permissions assigned to GROUP1 in the NDS) The folder SUBDIR2 has an ACE explicitely defined to GROUP2 (equivalent to the permissions assigned to GROUP2 in the NDS) The folder SUBDIR3 has an ACE explicitely defined to GROUP3 (equivalent to the permissions assigned to GROUP3 in the NDS) The folder SUBDIR4 has an ACE explicitely defined to GROUP4 (equivalent to the permissions assigned to GROUP4 in the NDS)
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
Return Receipt Your RE: [ActiveDir] Migrating access rights from Novell/NDS to document W2K3/AD with NDS migra tor : was Lucia Washaya/UNAMSIL received by: at: 09/02/2005 16:34:48 GMT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
Return Receipt Your RE: [ActiveDir] Migrating access rights from Novell/NDS to document W2K3/AD with NDS migra tor : was Lucia Washaya/UNAMSIL received by: at: 09/02/2005 16:34:39 GMT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
Yes, Access-based Directory Enumeration is just what I described in my dream. Thanks to Eric and Jimmy for the clarification. And thanks to Microsoft for implementing it. Now my dream list contains only the other features listed in the messages from me and Jorge, and a Ferrari and the other usual stuff, of course. About AD. Yes, the List Object mode was there from the beginning, but it is manual, while the NDS approach is automatic. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, February 09, 2005 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor It seems Sakari's dream has come true. The SP1 docs cover this. http://www.microsoft.com/windowsserver2003/downloads/servicepa cks/sp1/ov erview.mspx Look at 02_accessenum.doc AD you could have done this before though (if I understand the ask correctly) by removing list_contents from the parent, giving explicit perms to the child and enabling list object mode with the appropriate mod. For AD, this is old news. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Sent: Wednesday, February 09, 2005 6:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Isn't that what Access-based Directory Enumeration do? This feature is not enabled by default in SP1, though. I haven't tried the feature yet so I can't verify it. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Wednesday, February 09, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor It's been my dream over ten years that NTFS would get similar permission feature to what has been in NetWare all these years. When a user has permissions to a given subfolder, it's almost always most logical that this subfolder (automatically or implicitly up to the root) would become visible to her. And vice versa, when she has no permissions to a subfolder, it would be logical that this subfolder is invisible to her. And it has been my dream for six years that the same would apply to AD, as has always been with NDS. While we are on the subject, another extremely handy feature of NDS would be most welcome in AD. That is, each OU would be a sec prin, so if you want to grant permissions to all people in the Sales OU, you wouldn't have to create a paraller sec group for that. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 09, 2005 10:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Hi, clipclipclip Regards, Jorge PS.: I'm glad MS is going toward the permissions structure (with W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will be able to configure file system permissions through AD like that is possible with the NDS. The possibility of configuring permissions for the file system through GPOs is a nice feature but far from perfect. Also any thoughts on this are welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
I'm compelled to yell on this topic, it just doesn't work. Implement something practical comparable to 5-second worth of tweaking NDS rights and send me the instructions as I've yet to be close to satisfied with the results of this particular feature. That said, AD still makes me happy! :) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Wednesday, February 09, 2005 4:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Yes, Access-based Directory Enumeration is just what I described in my dream. Thanks to Eric and Jimmy for the clarification. And thanks to Microsoft for implementing it. Now my dream list contains only the other features listed in the messages from me and Jorge, and a Ferrari and the other usual stuff, of course. About AD. Yes, the List Object mode was there from the beginning, but it is manual, while the NDS approach is automatic. Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, February 09, 2005 5:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor It seems Sakari's dream has come true. The SP1 docs cover this. http://www.microsoft.com/windowsserver2003/downloads/servicepa cks/sp1/ov erview.mspx Look at 02_accessenum.doc AD you could have done this before though (if I understand the ask correctly) by removing list_contents from the parent, giving explicit perms to the child and enabling list object mode with the appropriate mod. For AD, this is old news. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Sent: Wednesday, February 09, 2005 6:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Isn't that what Access-based Directory Enumeration do? This feature is not enabled by default in SP1, though. I haven't tried the feature yet so I can't verify it. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Wednesday, February 09, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor It's been my dream over ten years that NTFS would get similar permission feature to what has been in NetWare all these years. When a user has permissions to a given subfolder, it's almost always most logical that this subfolder (automatically or implicitly up to the root) would become visible to her. And vice versa, when she has no permissions to a subfolder, it would be logical that this subfolder is invisible to her. And it has been my dream for six years that the same would apply to AD, as has always been with NDS. While we are on the subject, another extremely handy feature of NDS would be most welcome in AD. That is, each OU would be a sec prin, so if you want to grant permissions to all people in the Sales OU, you wouldn't have to create a paraller sec group for that. Yours, Sakari From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, February 09, 2005 10:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor Hi, clipclipclip Regards, Jorge PS.: I'm glad MS is going toward the permissions structure (with W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will be able to configure file system permissions through AD like that is possible with the NDS. The possibility of configuring permissions for the file system through GPOs is a nice feature but far from perfect. Also any thoughts on this are welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail
