-
Title
When performing resource updating, permissions for some users are not changed while for others are -
Description
When performing workstation or file server resource updating, permissions for some accounts are not updated, while at the same time these accounts are present in the vmover.ini file. This problem is more common for the resource updating based from the command line utility vmover.exe, but can also happen in any resource updating scenario where manual modification of vmover.ini is involved.
-
Cause
Among other reasons that are not described in this article this problem can be caused by two things outlined below.
-
Resolution
I. The Vmover.ini file structure is built based on simple mathematical formula where source RID (the last portion of SID) of every next user in the row except the very first one is calculated based on the value in the current row plus RID of previous user. If some entries are manually removed this is causing the entire reference model to break. Please avoid modifying vmover.ini file manually. Use Tools - Specify Custom Map dialogue of QMM RUM if some accounts need to be excluded.
II. SIDs on server that is being updated (ACL, Local Groups membership) are not the source user SIDs but are their SIDHistory values left from yet another migration project accomplished in the past. It is a known Microsoft behavior where SID will be resolved to user's name if this SID's value is contained in SIDHistory attribute. Sometimes the file servers have been migrated many times and may still have the legacy user's SIDs on the file system ACLs. In this case Vmover.ini file will only contain original source user's SID and will not be able to process such resources.
For example:
Project1: SID1=>SID2, User(SID2) has SID1 in SIDHistory. Resources were not updated at that time.
Project2: SID2=>SID3, User(SID3) has SID1 and SID2 in SIDHistory. Resources need to be updated.
File server contains permissions set to SID1, which are resolved via GUI to User(SID2) - source user for the Project2 - because of SIDHistory. However Vmover.ini file generated from Project2 contains SID2-SID3 mapping only.
Please refer to QMM Users Guide and use Vmover.exe in command line mode with SIDHistory=Yes switch added to the vmover.ini file:
"SIDHistory Mapping"
By default, Vmover's INI file contains source-target account pairs migrated by the moment when the file was generated. Alternatively, VMover can automatically locate and append to the INI file the pairs by analyzing the SIDHistory of the accounts in the target domain. This lets you use the tool even if the object migration was performed not by Quest Migration Manager but by another tool capable of adding SIDHistory.