NAS ReACL Profiles
The default NAS ReACL profile is used if a different profile is not defined and set on the NAS computers. The default NAS ReACL profile can be edited.
To add NAS ReACL profiles:
-
On the NAS ReACL Profiles page, click the Add button. The NAS ReACL Profile window appears.
- In the Profile Name field, enter a name to identify this NAS ReACL Profile.
- Select a Logging Level, either Informational (default) or Debugging.
- Enter the network errors that will trigger a retry in the Retry If the Following Error Codes Are Encountered box. By default, errors 53 and 64 will trigger a retry.
- Enter the number of retries to attempt in the Retry Count field. The default retry count is 10 times.
- Enter the number of seconds between network error retries in the Retry Interval field. The default interval is 1 second.
- Click Next.
-
Select the components to process.
If the Preserve the "Archive" Bit box is left unchecked, the archive bit will be reset. If checked, the archive bit will not be reset.
-
In the Exclude These Paths From Processing box, enter folder paths that will not be included in the ReACL process. Wild card characters (* and ?) can be used when specifying blacklist folders. Separate the paths by pressing Enter. By default, the following folders are blacklisted:
- \Windows
- \WINNT
- \I386
- \Windows\I386
- \Program Files
- \PROGRAM FILES (x86)
- \MSOCACHE
- \System Volume Information
- \Recycler
- \$RECYCLE.BIN
- \CONFIG.MSI
- \RECOVERY
- \OEM
- \Quarantine
- \BOOT
- \ProgramData\Microsoft\Windows Defender
-
In the Exclude These Registry Keys From Processing box, enter registry keys that will not be included in the ReACL process. A leading '\' is not necessary. Separate the paths by pressing Enter. The following wild card characters are permitted when specifying registry keys:
- * matches zero or more characters in a key name, but not the '\' path delimiter.
- ? matches any single character.
- ** matches zero or more parent keys.
Examples:
- HKEY_LOCAL_MACHINE\SOFTWARE\XYZ – a single key
- HKEY_LOCAL_MACHINE\SOFTWARE\XY* – all keys starting with "XY" in HKEY_LOCAL_MACHINE\SOFTWARE
- HKEY_LOCAL_MACHINE\SOFTWARE\?YZ – all 3-character keys ending with "YZ" in HKEY_LOCAL_MACHINE\SOFTWARE
- HKEY_LOCAL_MACHINE\**\XYZ – all keys named "XYZ" anywhere under HKEY_LOCAL_MACHINE
- **\XYZ – all keys named "XYZ" in any registry hive
-
Select an option from the Elevate Permissions Failure Action drop-down list to choose the action that should be taken if any part of the ReACL process encounters errors.
In order to successfully adjust permissions, Migrator Pro for Active Directory must create a process with a security token that has been assigned additional permissions. The token is said to have elevated rights/permissions. If this process fails, it is likely that the ReACL will be largely unsuccessful in updating the operating system for use by target user accounts.
- The default is Terminate processing with fatal error, meaning the ReACL process for that computer is stopped as soon as an error occurs. This is a time-saving option. The ReACL process is reported as Failed in the Computers View. A computer cannot be Cutover if the ReACL process reports as Failed. This is the recommended setting.
- If you choose Log error entry, the entire process will attempt to complete when an Elevate Failure error is encountered, but the process will still be reported as Failed. This selection may take significantly more time than "Terminate processing with fatal error" because the entire process will attempt to finish before reporting as Failed.
- If you choose Log warning entry, a warning entry will be logged, however the process will be reported as Successful. This choice allows experienced migration architects to analyze the logs and choose to Cutover anyway based on their analysis of the results.
- If you choose Log informational entry, an info entry will be logged, however the process will be reported as Successful. This choice allows experienced migration architects to analyze the logs and choose to Cutover anyway based on their analysis of the results. We suggest choosing Warning over Info as that will make the entries easier to locate in the log.
-
Select an option from the Preserve Rollback Metadata in ACLs drop-down list.
Migrator Pro for Active Directory inserts a "breadcrumb” during the ReACL process to allow seamless rollback of the ReACL process if needed. You can control the insertion of these breadcrumbs (which are removed during the Cleanup process) if desired, here.
-
The default is Always and does not affect performance. We recommend this setting. This is the only setting where the changes performed by the ReACL process can be rolled back, or undone, in all scenarios.
-
If you choose Only If Ambiguous, metadata will only be included when the rollback settings would be ambiguous. Only If Ambiguous results in the addition of fewer breadcrumbs, preserving usage for times when it may be impossible to determine the original file or folder permissions. For example, when users have accounts in multiple domains that will be consolidated into a single domain.
Note that Only If Ambiguous guarantees a ReACL can be rolled back to the original state only when the file system permissions remained unchanged. Modification of ACLs on the file system could create a state where a rollback cannot complete with 100% success. To ensure the ability for a ReACL Rollback in all scenarios, Always should be selected.
-
If you are an experienced migration architect, you may choose Never to never include metadata.
If Never is selected, a complete rollback may not be possible.
-
-
Select Yes under Run Processing in Simulation Mode) to simulate the results of the ReACL process without actually making any changes to the ACL. Visit the logs/reports to determine any potential issues and correct them before running an actual ReACL process. You might use this setting to create a Device ReACL Profile specifically for testing purposes.
- Click Save Profile. The new NAS ReACL Profile is added to the list.
