DSACLS will let you do the reacling without having to worry about manually
doing it (although with one server it is probably not a big deal). I have
used it with a text file that maps old user account to new user account to
automate the repermissioning. You can also use this to repermission the
registry files including the user.dat file in the registry as part of a
profile move - although that applies to a workstation more then a server.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]
"Grillenmeier, Guido"
<[EMAIL PROTECTED] To:
<[email protected]>
com> cc: (bcc: James
Day/Contractor/NPS)
Sent by: Subject: RE: [ActiveDir]
copy or migrating local to domain accounts
[EMAIL PROTECTED]
tivedir.org
08/03/2005 08:41 PM CET
Please respond to
ActiveDir
there is an easier way, although you might not be able to leverage it,
depending on your situation.
1. you could promote the server to be the DC of a new temp-forest (will
take the local SAM and make "normal" AD accounts and groups out of it)
2. then create a trust to your target forest and use ADMT to migrate the
groups and users incl. PW over to your target forest + reacl the server's
resources to allow access from those target users/groups (pretty easy task
as you don't have to chase any user profiles on other boxes and can just
concentrate on that one machine for reacling...)
3. cut the trust and demote your temp-forest DC back to a standalone box
and then join it as a server to your target domain
done
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Dienstag, 2. August 2005 22:08
To: [email protected]
Subject: RE: [ActiveDir] copy or migrating local to domain accounts
How good are your scripting skills?
1) Dump the passwords from the local server using pwdump3e
2) Crack all the passwords using rainbow crack or l0phtcrack or whatever
3) Script the creation of the users in the domain setting those passwords
you cracked
Pretty easy. (And if you already know all the passwords, you can skip items
1 and 2 -- "net users" will list your local users and you can use "dsadd"
to add them to the domain!)
For extra credit:
4) Scan the filesystem finding all files with ACLs including the above
users, write the filenames and ACLs to a file and after you've promoted the
users and joined the domain, go back and re-ACL the files.
That's a little harder.
:-)
I've "promoted" web servers to a domain this way several times.
The real question is why does a local user no longer meet the needs on the
local server?
M
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, August 02, 2005 2:34 PM
To: [email protected]
Subject: [ActiveDir] copy or migrating local to domain accounts
I think that I already know the answer to the question, but I will ask
anyways. I have a test box (server) that is a stand-alone. I need to add
it to a domain, but I have a lot of local users on this box. Is there any
way to move, copy, or migrate the user accounts to the domain level?
Thanks
Lazy.. J
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
