Migration Manager for AD 8.15 - Resource Processing Guide

Processed Rights and Resources

This section describes which resources or rights can be processed by Vmover.

Parameters that define processing options for Vmover are specified under the [Options] section of the Vmover INI file. For example of Vmover INI file, see the What do the parameters and data stored in the vmover.ini mean KB article.

The following table lists resources and rights that can be processed by Vmover on local and remote computers:

Local group membership

Vmover adds target accounts to the local groups that contain the corresponding source accounts.

User rights

Vmover assigns target accounts exactly the same user rights as the corresponding source accounts have.

Service accounts

For each Windows service Vmover updates the account that the service uses to log on. For example, if a service runs under SOURCE\User1 and User1 is migrated to the target domain, the account will be changed to TARGET\User1.

Scheduled tasks

Vmover processes scheduled task accounts and permissions. For example, if a task runs as SOURCE\User1 and User1 is migrated to the target domain, the task account will be changed to TARGET\User1.

Objects processed

For each scheduled task Vmover performs the following:

• Updates scheduled task account (account under which task runs)
• Duplicates entry for the updated scheduled task account in the Credential Manager if original account is presented there.
• Processes accounts specified in the task’s triggers (if any)
• Updates the permissions for the task file

Local profiles

Vmover processes local profiles of source users.

Objects processed

For each local profile, Vmover performs the following steps:

1. Vmover creates a new user profile for the corresponding target user that is linked to the same local profile file as the source user.
   

   NOTE:The paths to user profile files are stored in the ProfileImagePath values of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList sub-keys.

2. Vmover processes the registry hive from each local profile file (ntuser.dat or ntuser.man) and also registry hive from the UsrClass.dat file. For details on objects processed, see the Registry section.

Roaming profiles

Vmover updates roaming user profiles.

Objects processed

For each roaming profile found on a computer, Vmover performs the following steps:

1. Vmover processes the registry hive from the roaming user profile file (ntuser.dat or ntuser.man) and also registry hive from the UsrClass.dat file. For details on objects processed, see the Registry section.
2. Vmover processes permissions for ntuser.dat and ntuser.man files. For details on permissions processed, see the File system and File ownership sections.

Registry

Vmover processes permissions for all keys in the HKEY_LOCAL_MACHINE subtree of Windows Registry. If processed computer is not a Windows cluster, keys from the HKEY_USERS subtree are processed as well.

Objects processed

Vmover grants target account exactly the same permissions as the corresponding source account has. The following properties are updated:

• Discretionary Access Control List (DACL)
• System Access Control List (SACL)
• Owner
• Primary group

File system

Vmover updates permissions for files and folders located on local hard disk drives with NTFS or ReFS format.

Objects processed

Vmover grants target account exactly the same permissions on files and folders as the corresponding source account has. The following properties are updated for files and folders:

• Discretionary Access Control List (DACL)
• System Access Control List (SACL)
• Primary group

File ownership

The ownership of the files and folders in the file system is changed from the source account to the corresponding target account. For example, if a file owner is SOURCE\User1 and User1 is migrated to the target domain, the file owner will be changed to TARGET\User1.

The file owner is specified on the Owner tab of Advanced Security Settings dialog in the file or folder Properties.

Shares

Vmover updates share permissions.

Printers

Vmover processes permissions for local printers and for network printer connections.

Objects processed

Vmover grants target account exactly the same permissions as the corresponding source account has.

The following properties are updated:

• Discretionary Access Control List (DACL)
• System Access Control List (SACL)
• Owner
• Primary group

COM+

Vmover processes settings for all COM+ application installed on a computer.

Objects Processed

For each installed COM+ application the following items are processed:

• Account under which the application runs
• Accounts assigned to roles

DCOM

Vmover processes the DCOM security settings.

Objects Processed

The following computer-wide settings are processed:

• Launch and Activation Permissions (both Limits and Defaults)
• Access Permissions (both Limits and Defaults)

The following settings are processed for each DCOM application:

• Launch and Activation Permissions
• Access Permissions
• Configuration Permissions
• User account that is used to run the application

Corresponding registry entries processed by Vmover are

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole registry values:
  1. DefaultAccessPermission
  2. DefaultLaunchPermission
  3. MachineAccessRestriction
  4. MachineLaunchRestriction
• For each sub-key in HKEY_CLASSES_ROOT\AppId:
  1. Key security (see Registry section for details)
  2. RunAs value
  3. AccessPermission value
  4. LaunchPermission value
  5. AccessPermissions value
  6. LaunchPermissions value

IIS

Vmover processes IIS 6.0 metabase properties and IIS 7.x/8.x/10.0 settings.

Objects processed

IIS 6.0 metabase properties

The following IIS metabase properties are processed:

• AdminAcl
• AnonymousUserName
• WAMUserName
• UNCUserName
• All properties that are explicitly specified in the Vmover INI file under [IIS Identifiers] (see product documentation for details).

IIS 7 or higher settings

For IIS version 7.0 or higher the following settings are updated:

• Site or server settings:
  • ASP.NET– .Net Authorization Rules
  • ASP.NET–Providers (user name in connection strings)
  • ASP.NET–Session State (user name in connection strings)
  • ASP.NET–SMTP E-Mail
  • FTP–FTP Authentication
    • Anonymous Authentication (user name)
    • Basic Authentication (domain)
  • FTP–FTP Authorization Rules
  • FTP-FTP User Isolation (IIS 8 and higher)
  • IIS–Authentication
    • Anonymous Authentication (user name)
    • ASP.NET Impersonation (user name)
    • Basic Authentication (domain)
  • IIS–Authorization Rules
  • IIS–Logging–ODBC Logging
  • IIS–WebDAV Authoring Rules
  • Site Basic Settings (user name in Connect As)
  • Site Advanced Settings (user name in Physical Path Credentials)
• Application pool settings:
  • Identity
  • Application Pools Default Identity
• Management

  • IIS Manager Permissions

  • Shared Configuration

  • Centralized Certificates

Command-Line Parameters

Vmover should be run using the following command-line syntax:

Vmover.exe /c [/ini=IniFile] [/roaming=UserDatPath] [/volume=Path]

[/system=Computer]

Explanation

/c—Mandatory parameter for command-line usage.

/ini—Optional parameter. Name of the INI file that contains the parameters for the update.

/roaming—Processes roaming profiles. If the /roaming parameter is specified, Vmover will process only profile on which the parameter's value indicates. Recursive bypass through the subfolders with profiles will not be performed.

/volume—Processes file system permissions in the specified location

/system—Specifies the computer name. By default, the local computer is updated.

/log—Specifies the location of the log file by means of overriding the LogFile key in the INI file.

/exclude—Sets exclude masks. Use the | symbol as a divider and the * symbol as a wildcard. During processing Vmover skips files and directories if their names match one of the specified exclude masks.

/excludepath—Sets exclude paths. Use the | symbol as a divider. During processing Vmover skips directories if their names match one of the specified exclude paths. This parameter should specify network paths, not local file system paths.

/recursion—Sets the recursion level. Vmover processes file system to the depth specified in this parameter, starting either from the path given in the /volume parameter (if specified) or from the root drive path.

/affinity—Sets the CPU affinity mask in a view of a bit mask that indicates what processors are eligible to be selected for work. The value of 1 means that only first processor will be used, the value of 2 means that only second processor will be used, the value of 3 allows to use only first and second processors and so on. If the mask specifies the number of processor, that exceeds the real number of processors in the system, Vmover will exit with an error displayed.

/priority—Sets the priority for Vmover.exe for the resource updating process, allowing you to avoid overloading the client computers when resource processing is running during working hours. The following priority values are used:

• A value of -2 means Low priority.
• A value of -1 means Below Normal priority.
• A value of 0 means Normal priority.
• A value of 1 means Above Normal priority.
• A value of 2 means High priority.
• A value of 3 means Realtime priority.

Remote Update

By default, Vmover applies the changes specified in the INI file on the local computer. To make Vmover update a remote computer, use the /system command-line parameter or add the /System=TargetComputerName key to the INI file. The following example shows how to use the /system command-line parameter:

Vmover /c /system=Mars

When Vmover is updating a remote computer, it locates all the system shares of the computer (such as c$ and d$) and updates all the files and folders located in the shares.

To update a specific share of the computer, use the /volume command-line parameter. In this case, no other shares will be affected. The following example shows how to use the /volume parameter:

Vmover /c /volume=\\Mars\Deimos

For a successful remote update, the account under which Vmover is started must be administrative and have the following privileges on the remote and local computers (granted explicitly or by establishing a net use connection):

• Restore files and directories
• Backup files and directories
• Take ownership of files and other objects
• Manage auditing and security log
• Bypass traverse checking

SIDHistory Mapping

By default, Vmover’s INI file contains source-target account pairs migrated by the moment when the file was generated.

Alternatively, Vmover can automatically locate and append to the INI file the pairs by analyzing the SID history of the accounts in the target domain. This lets you use the tool even if the object migration was performed not by Migration Manager but by another tool capable of adding sIDHistory.

To use sIDHistory mapping, the following parameters need to be added to the [options] section:

The source domains are specified in a separate section [SourceDomains]. Each line of the section should contain a source domain name and its SID, separated by a semicolon character (;).

The following is an example of an INI file with SIDHistory mapping:

[dmw4]

[Options]

FileSystem=No

Shares=Yes

LocalGroups=No

UserPrivileges=No

Printers=No

Registry=No

Profiles=No

InstallProfilesAgent=Yes

Services=No

ScheduledTasks=No

Clone=Yes

CleanUp=No

Undo=No

AutoRemove=No

MaxErrors=10

LogMask=-1

LogFile=Vmover.log

StateFile=Vmover.txt

Version=400

MaxCriticalErrors=10

MaxRegUsage=95

ProcessRegGroupOwner=No

UpdateStateSec=1

SetArchiveBit=No

sidHistory=Yes

hostName=pdc-target2000:389

ldapUser=administrator

ldapDomain=target2000

ldapPsw=‘adminpswd’

[SourceDomains]

TRUST;S-1-5-21-750286249-1451910610-2033415169

If SIDHistory mapping is used but the source-target pairs are also listed, both the SIDHistory pairs and the explicitly set pairs are used.