From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, February 09, 2005 9:18 AM
To: [email protected]
Subject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor
Hi,
We are migrating from Novell and NT4 (single domain) to Windows 2003/AD.
We are using Quest NDS Migrator to migrate files (INCL. permissions) from Novell File Server to Windows 2003 file server.
SOURCE
ENVIRONMENT:
*
Novell File Servers with Novell NDS
* Windows NT4 domain
* Windows 95/98 clients with the
Novell client authenticate to the NDS and to the Windows NT4 domain
TARGET
ENVIRONMENT:
*
Windows 2003 AD domain
* Windows 2003 File servers
* ACLs on migrated data are assigned to AD domain local
groups
* AD
users are members of the AD domain local groups and corresponding NT4 users are
also members of the AD domain local groups
We are experiencing the following issue:
Take a Novell server with with a volume called VOL1 so that the UNC path is \\NOVELLSRV\VOL1
Beneath VOL1 the
following directory structure exists:
\\NOVELLSRV\VOL1\
DATA\
COMMON\ --> no trustees assigned!
DIR1\ --> no trustees assigned!
SUBDIR1 --> explicitely assigned trustee = GROUP1
SUBDIR2 --> explicitely assigned trustee = GROUP2
DIR2\ --> no trustees assigned!
SUBDIR3 --> explicitely assigned trustee = GROUP3
SUBDIR4 --> explicitely assigned trustee = GROUP4
Users have a mapping U: to \\NOVELLSRV\VOL1\DATA\COMMON (the contents of COMMON is the same as U:)
USER 1 is a member of
GROUP1
USER 2
is a member of GROUP1 and GROUP4
Neither USER1 or USER2 is a member of GROUP2 or
GROUP3!!!
* When USER1 connects
to U: he sees:
U:\
DIR1\ --> no trustees assigned!
SUBDIR1 --> explicitely assigned trustee = GROUP1
USER1 implicitely has the right to enter DIR1 (he sees nothing else) so that he's able to access the contents of SUBDIR1
* When USER2 connects
to U: he sees:
U:\
DIR1\ --> no trustees assigned!
SUBDIR1 --> explicitely assigned trustee = GROUP1
DIR2\ --> no trustees assigned!
SUBDIR4 --> explicitely assigned trustee = GROUP4
USER2 implicitely has the right (I think in Novell it is called File Scan) to enter DIR1 (he sees nothing else) so that he's able to access the contents of SUBDIR1
USER2 implicitely has the right (I think in Novell it is called File Scan) to enter DIR2 (he sees nothing else) so that he's able to access the contents of SUBDIR4
Quest NDS Migrator has not been configured with default ACLs so that NDS Migrator uses as default ACL DOMAIN ADMINS with Full Control
USER1 and USER2 in the
NDS has been matched with USER1 and USER2 in AD
GROUP1, GROUP2, GROUP3 and
GROUP4 have been migrated to AD including the memberships
After the data is migrated to Windows 2003 the following issue occurs:
The folder SUBDIR1 has an ACE explicitely defined to GROUP1 (equivalent to the permissions assigned to GROUP1 in the NDS)
The folder SUBDIR2 has an ACE explicitely defined to GROUP2 (equivalent to the permissions assigned to GROUP2 in the NDS)
The folder SUBDIR3 has an ACE explicitely defined to GROUP3 (equivalent to the permissions assigned to GROUP3 in the NDS)
The folder SUBDIR4 has an ACE explicitely defined to GROUP4 (equivalent to the permissions assigned to GROUP4 in the NDS)
* When USER1 or USER2
connects to U: (now mapped to a UNC path on the Windows server) they see:
U:\
DIR1\ --> ACL = DOMAIN ADMINS with FC
DIR2\ --> ACL = DOMAIN ADMINS with FC
THE ISSUES:
* USER1 is not able to
access SUBDIR1 because it is not able to navigate through DIR1 as it does not
have explicit permissiosn defined (this was also the case in Novell)
* USER2 is not able to access SUBDIR1 because it is not able to navigate through DIR1 as it does not have explicit permissiosn defined (this was also the case in Novell)
* USER2 is not able to access SUBDIR4 because it is not able to navigate through DIR2 as it does not have explicit permissiosn defined (this was also the case in Novell)
How can this situation be solved so that USER1 and USER2 can navigate through the folders DIR1 and DIR2?
In Novell permissions do not only flow down the structure but they also go up the structure so that users can access folders on a lower level if permissions have been assigned to that lower level (to a group the user is a member of)
Shouldn't NDS Migrator calculate the permissions that are needed on higher levels of the directory so that users can access lower levels of folders and files? In this situation the WINDOWS ACLs should be something like:
\\WINDOWSSRV\
DATA\ --> ACL = DOMAIN ADMINS with FC
COMMON\ --> ACL = DOMAIN ADMINS with FC
DIR1\ --> ACL = DOMAIN ADMINS with FC and GROUP1
and GROUP2 with LIST FOLDER CONTENTS
SUBDIR1 --> ACL = GROUP1 with inheritance off
SUBDIR2 --> ACL = GROUP2 with inheritance off
DIR2\ --> ACL = DOMAIN ADMINS with FC and GROUP1 and GROUP2 with LIST
FOLDER CONTENTS
SUBDIR3 --> ACL = GROUP3 with inheritance off
SUBDIR4 --> ACL = GROUP4 with inheritance off
The solution I thought of was by configuring a default ACL for AUTHENTICATED USERS with THE LIST FOLDER CONTENTS permission. I think this solution will work so that users can navigate to lower levels where they really have access rights to do whatever they want to do. On the other side this solution is unacceptable because EVERY USER will be able to navigate (i.e. SEE) to every folder on the file system!
By the way the following really is fun: Let's have a file with path U:\DIR1\SUBDIR1\README.TXT (from the example above)... Users that have explicit change or read permissions on the file README.TXT can not navigate to file with explorer BUT if they insert U:\DIR1\SUBDIR1\README.TXT into the RUN dialog box (start menu -> run) NOTEPAD opens the file.
I have also been trying to figure out how the right "Bypass Traverse Checking" (as mentioned in http://msdn.microsoft.com/library/default.asp?url="">) works and until now without success (at least how I would like that it should work -> navigating through folders to lower level folders with permissions assigned to users). Any info this?
Have any of you guys had any experience on this? If so, feel free to contact me offline
THANX IN ADVANCE!!!
Regards,
Jorge
PS.: I'm glad MS is going toward the permissions structure (with W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will be able to configure file system permissions through AD like that is possible with the NDS. The possibility of configuring permissions for the file system through GPOs is a nice feature but far from perfect. Also any thoughts on this are welcome.
Met vriendelijke groet / Kind regards,
Jorge de Almeida
Pinto
Infrastructure Consultant
__________________________________________
<<...OLE_Obj...>>
LogicaCMG Nederland
B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T)
Kennedyplein 248, 5611 ZT,
Eindhoven
. Postbus 7089
5605 JB Eindhoven
( Tel
: +31-(0)40-29.57.777
2 Fax :
+31-(0)40-29.57.709
( Mobile :
+31-(0)6-26.26.62.80
* E-mail :
[EMAIL PROTECTED]
" <http://www.logicacmg.com/> - Solutions that matter -
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
