The User Management page allows you to enable role-based access control. When using role-based access control, users can be assigned a role to limit actions and access to information in the application.
The User Management page can be accessed by selecting Manage Roles under Settings in the action menu. This page is visible to all users if no Global Administrators have been defined and only to Global Administrators when one or more have been defined.
User Roles
Global Administrator
- Allows creation of new profiles
- Allows modification of configuration in the application/database for all profiles
- Allows creation or modification of Cutover activities and custom actions for all profiles
- Can submit migration events, including ReACL and Cutover actions for workstations, as well as user Cutover actions (enable/disable) for all profiles
- All configuration pages can be accessed
Profile Administrator
- Cannot create of new profiles
- Can submit migration events, including ReACL and Cutover actions for workstations, as well as user cutover actions (enable/disable)
- All configuration pages can be accessed
- Allow modification of configuration in the application/database
- Allow creation or modification of Cutover activities and custom actions
Migration Operator
- Can submit migration events, including ReACL and Cutover actions for workstations, as well as user cutover actions (enable/disable)
- Configuration pages cannot be accessed
- Cannot modify configuration in the application/database
- Cannot create or modify Cutover activities and custom actions
Read Only User
- Can view directory synchronization results and logs
- Can view Active Directory Cutover status
- Configuration pages cannot be accessed
- Cannot modify configuration in the application/database
- Cannot create or modify Cutover activities and custom actions
-
Problem: What do you do when a user tries to use a network printer post ReACL process and/or Cutover and receives an access denied error?
Solution: Synchronize the SID History for that User to resolve the problem.
-
Problem: ASP.NET will sometimes not register properly with IIS, which can cause errors when the Migrator Pro for Active Directory Agent tries to communicate with the Web Service. How do I address this?
Solution: During installation, the installer needs to enable the IIS feature for the Server if the feature was not enabled so that web-service can be installed and configured. To address this problem, you should manually re-register the ASP.NET with IIS. To do this, run the below command on the server under C:\Windows\Microsoft.NET\Framework\v4.8:
aspnet_regiis -i
-
Problem: Users are getting an error message that their Recycle Bin has been corrupted once their computer has been migrated.
Solution: This is a common issue with Domain Migrations and is caused when the Recycle Bin is not empty. This is happening because the name of the Recycle Bin is the user’s SID and the Recycle Bin cannot be ReACL’d. After the workstation has been ReACL’d and migrated when the user logs on, if the existing Recycle Bin is not empty the user cannot access it. But if the existing Recycle Bin is empty a new one is created and the Target user’s SID is the name of the Recycle Bin.
Resolution: Empty the Recycle Bin as part of the Cutover process
-
Problem: Directory Sync Pro for Active Directory does not start if SQL Authentication method is used with Windows Authentication.
Solution: Manually add the computer account to the SQL server and grant it the sysadmin role. To accomplish this, perform the following steps.
- Via the SQL Management Studio, open a new query window and enter the below script
- CREATE LOGIN [Domain\machine_name$] FROM WINDOWS
- Via the Security and Logins, locate the newly created Computer Name
- Grant this user with sysadmin role
-
Problem: A workstation that has been successfully cutover no longer responds to any additional jobs, such as Cleanup.
Solution: If a workstation that has been successfully cutover now fails to respond to any additional jobs, such as Cleanup, check the Application event log. If you see a "The remote name could not be resolved" error, this most likely means that the SRV record for the Migrator Pro for Active Directory Server can no longer be resolved due to a DNS lookup failure.
If you cannot "Ping" the Migrator Pro for Active Directory server from any other machines in the target domain, then you will need to remedy this on a more global scale, such as creating a conditional forwarder on the target machines' current DNS server pointing to the appropriate location.
If you are able to "Ping" the Migrator Pro for Active Directory server, then check the Network Profile that was used during the Cutover to verify that the DNS settings were correct in that profile.
Password Sync Troubleshooting
-
Problem: If you encounter "Access is denied" errors when syncing passwords with Directory Sync Pro for Active Directory.
Solution: This is most likely because the utility (psexec.exe) used for remote calls to the Global Catalog is failing. Some things you can try are:
- Try the GC server's IP address, FQDN and Shortname. IP address often works when others do not.
- From the Directory Sync Pro for Active Directory machine browse to \\[GC]\admin$ with the admin username\password
- Run the Directory Sync Pro for Active Directory service with credentials that have access to the GC instead of as LocalSystem
- Firewalls\Anti-Virus software should not be a problem but turning them off may help
Migrator Pro for Active Directory Agent Installation Troubleshooting
-
Problem:The Computer registers, but does not get discovered (Discovery Status remains blank in the Migrator Pro for Active Directory console).
Solution: Install PowerShell 2.0 or higher on the client. Operating systems earlier than Windows 7 do not natively include PowerShell.
-
Problem: During manual installation, a "wizard interrupted" error appears.
Solution: Install .NET 4.5.2 or higher on the client and run the installer again.
-
Problem: After a successful manual install, an "Unable to register" error appears in the Event Viewer.
Solution: Verify the path to the Migrator Pro for Active Directory server is correct and complete.
-
Problem: After a successful manual install, an "Unable to auto-discover" error appears in the Event Viewer.
Problem: The SRV records are missing, incorrect, or unreachable. Verify SRV records are set up properly.
Migrator Pro for Active Directory BITS Troubleshooting
- Problem: The Migrator Pro for Active Directory UI issued the ‘Upload Logs’ command to the Agent for a device, but nothing was uploaded to the web server.
Solutions:
From the IIS Web Server where Migrator Pro for Active Directory Web Service is installed:
- Open IIS Manager.
- Verify that Default Web Site > adm > DeviceLogs exists
-
Verify there is a BITS Uploads option icon in the Feature View (at the bottom)
If not, use PowerShell to install
Import-Module ServerManager
Add-WindowsFeature BITS-IIS-Ext
- Verify in the BITS Upload view, that "Allow clients to upload files" is checked
- Open IIS Manager
- Go to Default Web Site -> adm -> DeviceLogs
- Click on Basic Settings in the right pane
- Verify the Application Pool is set to "ADM AppPool"
- Click on Edit Permissions -> Security tab
- Verify the IUSR account is in the list and has the following permissions: Modify, Ready & execute, List folder contents, Read, Write
On the Device where the ‘Upload Logs’ command was issued:
- Navigate to C:\Program Files (x86)\Binary Tree\ADPro Agent\Files
- Open the agent_<date>.log in Notepad
- Verify the URI for the server /api and /devicelogs location is correct
- Navigate to C:\Program Files (x86)\Binary Tree\ADPro Agent\Files
- Open the PowerShell-<date>-<time>-BT-UploadLogs.log file
- Check for problems or errors
- Go to Start -> Run -> services.msc
- Verify the Background Intelligent Transfer Service is started
