Chat now with support
Chat with Support

Migration Manager for AD 8.15 - Resource Processing Guide

Introduction to Resource Update Distributed Updates in Resource Updating Manager Common Resource Update Workflows Active Directory Processing Exchange Server Processing SMS Processing SQL Server Processing Cluster Server Migration Command-Line Resource Update SharePoint Processing

Processed Rights and Resources

This section describes which resources or rights can be processed by Vmover.

Parameters that define processing options for Vmover are specified under the [Options] section of the Vmover INI file. For example of Vmover INI file, see the What do the parameters and data stored in the vmover.ini mean KB article.

TIP: For more details on using the Vmover, see the Command-Line Resource Update article.

The following table lists resources and rights that can be processed by Vmover on local and remote computers:

Parameter in Vmover INI Processed rights/resources
LocalGroups=Yes/No Local group membership
UserPrivileges=Yes/No User rights
Services=Yes/No Service accounts
ScheduledTasks=Yes/No Scheduled tasks
Profiles=Yes/No Local profiles
RoamingProfiles=Yes/No Roaming profiles
Registry=Yes/No Registry
FileSystem=Yes/No File system
ProcessFileSystemOwner=Yes/No File ownership
Shares=Yes/No Shares
Printers=Yes/No Printers
COMPlus=Yes/No COM+
DCOM=Yes/No DCOM
IIS=Yes/No IIS
Local group membership

Vmover adds target accounts to the local groups that contain the corresponding source accounts.

User rights

Vmover assigns target accounts exactly the same user rights as the corresponding source accounts have.

Service accounts

For each Windows service Vmover updates the account that the service uses to log on. For example, if a service runs under SOURCE\User1 and User1 is migrated to the target domain, the account will be changed to TARGET\User1.

NOTE:

  • Account passwords are not updated in the service’s properties. Therefore, if source and target passwords of a service account are not the same, the corresponding service may not start after resource update.
  • If the service being processed at the moment is running under a source account while a user logs on under a new corresponding target account, duplicate profiles can be created.
  • Source account is replaced with the corresponding target account in the service’s properties whether or not the Leave source accounts' permissions option is turned on.
Scheduled tasks

Vmover processes scheduled task accounts and permissions. For example, if a task runs as SOURCE\User1 and User1 is migrated to the target domain, the task account will be changed to TARGET\User1.

Objects processed

For each scheduled task Vmover performs the following:

  • Updates scheduled task account (account under which task runs)
  • Duplicates entry for the updated scheduled task account in the Credential Manager if original account is presented there.
  • Processes accounts specified in the task’s triggers (if any)
  • Updates the permissions for the task file

NOTE:

  • If a scheduled task is running under a source account while a user logs in under a new corresponding target account, duplicate profiles can be created.
  • Source scheduled task accounts are replaced with the corresponding target accounts in the task’s properties whether or not the Leave source accounts' permissions option is turned on.
Local profiles

Vmover processes local profiles of source users.

Objects processed

For each local profile, Vmover performs the following steps:

  1. Vmover creates a new user profile for the corresponding target user that is linked to the same local profile file as the source user.

    NOTE:The paths to user profile files are stored in the ProfileImagePath values of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList sub-keys.

  2. Vmover processes the registry hive from each local profile file (ntuser.dat or ntuser.man) and also registry hive from the UsrClass.dat file. For details on objects processed, see the Registry section.
Roaming profiles

Vmover updates roaming user profiles.

Objects processed

For each roaming profile found on a computer, Vmover performs the following steps:

  1. Vmover processes the registry hive from the roaming user profile file (ntuser.dat or ntuser.man) and also registry hive from the UsrClass.dat file. For details on objects processed, see the Registry section.
  2. Vmover processes permissions for ntuser.dat and ntuser.man files. For details on permissions processed, see the File system and File ownership sections.
Registry

Vmover processes permissions for all keys in the HKEY_LOCAL_MACHINE subtree of Windows Registry. If processed computer is not a Windows cluster, keys from the HKEY_USERS subtree are processed as well.

Objects processed

Vmover grants target account exactly the same permissions as the corresponding source account has. The following properties are updated:

  • Discretionary Access Control List (DACL)
  • System Access Control List (SACL)
  • Owner
  • Primary group

NOTE: Owner and primary group are replaced whether or not the Leave source accounts' permissions option is turned on.

File system

Vmover updates permissions for files and folders located on local hard disk drives with NTFS or ReFS format.

Objects processed

Vmover grants target account exactly the same permissions on files and folders as the corresponding source account has. The following properties are updated for files and folders:

  • Discretionary Access Control List (DACL)
  • System Access Control List (SACL)
  • Primary group

NOTE:

  • Files and folders on CD/DVD disks, USB flash drives, RAM disks, network drives and so on are not processed.
  • The recycler, $recycle.bin, and System Volume Information folders are skipped during processing.
  • The drives of Windows clusters are supported.
  • Primary group is replaced whether or not the Leave source accounts' permissions option is turned on.
File ownership

The ownership of the files and folders in the file system is changed from the source account to the corresponding target account. For example, if a file owner is SOURCE\User1 and User1 is migrated to the target domain, the file owner will be changed to TARGET\User1.

The file owner is specified on the Owner tab of Advanced Security Settings dialog in the file or folder Properties.

NOTE: File ownership is replaced whether or not the Leave source accounts' permissions option is turned on.

Shares

Vmover updates share permissions.

NOTE: Local file system permissions for shares are not processed.

Printers

Vmover processes permissions for local printers and for network printer connections.

Objects processed

Vmover grants target account exactly the same permissions as the corresponding source account has.

The following properties are updated:

  • Discretionary Access Control List (DACL)
  • System Access Control List (SACL)
  • Owner
  • Primary group

NOTE:

  • Owner and primary group are replaced whether or not the Leave source accounts' permissions option is turned on.
  • Network printer connections permissions are processed only on computers running Windows Vista or later, and Windows Server 2008 or later.
  • Network printer connections permissions are not processed for clusters.
COM+

Vmover processes settings for all COM+ application installed on a computer.

Objects Processed

For each installed COM+ application the following items are processed:

  • Account under which the application runs
  • Accounts assigned to roles

NOTE: Account under which the application runs is replaced in the application properties whether or not the Leave source accounts' permissions option is turned on.

DCOM

Vmover processes the DCOM security settings.

Objects Processed

The following computer-wide settings are processed:

  • Launch and Activation Permissions (both Limits and Defaults)
  • Access Permissions (both Limits and Defaults)

The following settings are processed for each DCOM application:

  • Launch and Activation Permissions
  • Access Permissions
  • Configuration Permissions
  • User account that is used to run the application

Corresponding registry entries processed by Vmover are

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole registry values:
    1. DefaultAccessPermission
    2. DefaultLaunchPermission
    3. MachineAccessRestriction
    4. MachineLaunchRestriction
  • For each sub-key in HKEY_CLASSES_ROOT\AppId:
    1. Key security (see Registry section for details)
    2. RunAs value
    3. AccessPermission value
    4. LaunchPermission value
    5. AccessPermissions value
    6. LaunchPermissions value

NOTE: User account (RunAs registry value) is replaced whether or not the Leave source accounts' permissions option is turned on.

IIS

Vmover processes IIS 6.0 metabase properties and IIS 7.x/8.x/10.0 settings.

Objects processed

IIS 6.0 metabase properties

The following IIS metabase properties are processed:

  • AdminAcl
  • AnonymousUserName
  • WAMUserName
  • UNCUserName
  • All properties that are explicitly specified in the Vmover INI file under [IIS Identifiers] (see product documentation for details).

NOTE: All properties except AdminAcl are replaced whether or not the Leave source accounts' permissions option is turned on.

IIS 7 or higher settings

For IIS version 7.0 or higher the following settings are updated:

  • Site or server settings:
    • ASP.NET– .Net Authorization Rules
    • ASP.NET–Providers (user name in connection strings)
    • ASP.NET–Session State (user name in connection strings)
    • ASP.NET–SMTP E-Mail
    • FTP–FTP Authentication
      • Anonymous Authentication (user name)
      • Basic Authentication (domain)
    • FTP–FTP Authorization Rules
    • FTP-FTP User Isolation (IIS 8 and higher)
    • IIS–Authentication
      • Anonymous Authentication (user name)
      • ASP.NET Impersonation (user name)
      • Basic Authentication (domain)
    • IIS–Authorization Rules
    • IIS–Logging–ODBC Logging
    • IIS–WebDAV Authoring Rules
    • Site Basic Settings (user name in Connect As)
    • Site Advanced Settings (user name in Physical Path Credentials)
  • Application pool settings:
    • Identity
    • Application Pools Default Identity
  • Management
    • IIS Manager Permissions

    • Shared Configuration

    • Centralized Certificates

IMPORTANT: If IIS Metabase Compatibility component is installed for IIS 7 or higher, properties listed in the IIS 6.0 metabase properties above will be processed as well.

 

NOTE: All settings except rules (such as .Net Authorization Rules, etc.) are replaced whether or not the Leave source accounts' permissions option is turned on.

Command-Line Parameters

Vmover should be run using the following command-line syntax:

Vmover.exe /c [/ini=IniFile] [/roaming=UserDatPath] [/volume=Path]

[/system=Computer]

Explanation

/c—Mandatory parameter for command-line usage.

/ini—Optional parameter. Name of the INI file that contains the parameters for the update.

For more information on creating INI files for processing resources, refer to the Delegating Resource Update topic.

/roaming—Processes roaming profiles. If the /roaming parameter is specified, Vmover will process only profile on which the parameter's value indicates. Recursive bypass through the subfolders with profiles will not be performed.

Caution: If you specify the /volume or /roaming parameter, Vmover will not update other resource types in the INI file (such as group membership or user rights).

/volume—Processes file system permissions in the specified location

Caution: If you specify the /volume or /roaming parameter, Vmover will not update other resource types in the INI file (such as group membership or user rights).

/system—Specifies the computer name. By default, the local computer is updated.

/log—Specifies the location of the log file by means of overriding the LogFile key in the INI file.

/exclude—Sets exclude masks. Use the | symbol as a divider and the * symbol as a wildcard. During processing Vmover skips files and directories if their names match one of the specified exclude masks.

/excludepath—Sets exclude paths. Use the | symbol as a divider. During processing Vmover skips directories if their names match one of the specified exclude paths. This parameter should specify network paths, not local file system paths.

/recursion—Sets the recursion level. Vmover processes file system to the depth specified in this parameter, starting either from the path given in the /volume parameter (if specified) or from the root drive path.

/affinity—Sets the CPU affinity mask in a view of a bit mask that indicates what processors are eligible to be selected for work. The value of 1 means that only first processor will be used, the value of 2 means that only second processor will be used, the value of 3 allows to use only first and second processors and so on. If the mask specifies the number of processor, that exceeds the real number of processors in the system, Vmover will exit with an error displayed.

/priority—Sets the priority for Vmover.exe for the resource updating process, allowing you to avoid overloading the client computers when resource processing is running during working hours. The following priority values are used:

  • A value of -2 means Low priority.
  • A value of -1 means Below Normal priority.
  • A value of 0 means Normal priority.
  • A value of 1 means Above Normal priority.
  • A value of 2 means High priority.
  • A value of 3 means Realtime priority.

NOTE: To study examples of using of these parameters, run Vmover.exe with parameter /?.

To perform recursive bypass through the subfolders with profiles, create the INI file with the Roaming profiles option enabled and run Vmover from the command line without the /roaming parameter. For example:

Vmover.exe /c [/INI=IniFile] [/system=Computer]

Remote Update

By default, Vmover applies the changes specified in the INI file on the local computer. To make Vmover update a remote computer, use the /system command-line parameter or add the /System=TargetComputerName key to the INI file. The following example shows how to use the /system command-line parameter:

Vmover /c /system=Mars

When Vmover is updating a remote computer, it locates all the system shares of the computer (such as c$ and d$) and updates all the files and folders located in the shares.

To update a specific share of the computer, use the /volume command-line parameter. In this case, no other shares will be affected. The following example shows how to use the /volume parameter:

Vmover /c /volume=\\Mars\Deimos

Caution: If you use the /volume parameter, Vmover will not process any other options in the INI file (such as group membership or user rights). Only file system permissions of the specified share will be processed.

For a successful remote update, the account under which Vmover is started must be administrative and have the following privileges on the remote and local computers (granted explicitly or by establishing a net use connection):

  • Restore files and directories
  • Backup files and directories
  • Take ownership of files and other objects
  • Manage auditing and security log
  • Bypass traverse checking

NOTE: For successful IIS permissions processing on the remote computer, IIS must also be installed on the computer on which Vmover is running and the account under which Vmover is started must be a local administrator on the computer being processed.

SIDHistory Mapping

By default, Vmover’s INI file contains source-target account pairs migrated by the moment when the file was generated.

Alternatively, Vmover can automatically locate and append to the INI file the pairs by analyzing the SID history of the accounts in the target domain. This lets you use the tool even if the object migration was performed not by Migration Manager but by another tool capable of adding sIDHistory.

NOTE: If Vmover was already run with the same INI file, it will locate and append to the INI file the information about the newly migrated accounts.

To use sIDHistory mapping, the following parameters need to be added to the [options] section:

Parameter Description
SIDHistory=Yes/No

Set this parameter to Yes to enable SIDHistory mapping.

hostName=Host_Name Specify the target domain controller to use for LDAP queries. This should be a Global Catalog server.
ldapUser=UserName The username to be used for LDAPrequests.
ldapDomain=UserDomain The name of the target domain.
ldapPsw=Password The password for the ldapUser user account.

The source domains are specified in a separate section [SourceDomains]. Each line of the section should contain a source domain name and its SID, separated by a semicolon character (;).

The following is an example of an INI file with SIDHistory mapping:

[dmw4]

[Options]

FileSystem=No

Shares=Yes

LocalGroups=No

UserPrivileges=No

Printers=No

Registry=No

Profiles=No

InstallProfilesAgent=Yes

Services=No

ScheduledTasks=No

Clone=Yes

CleanUp=No

Undo=No

AutoRemove=No

MaxErrors=10

LogMask=-1

LogFile=Vmover.log

StateFile=Vmover.txt

Version=400

MaxCriticalErrors=10

MaxRegUsage=95

ProcessRegGroupOwner=No

UpdateStateSec=1

SetArchiveBit=No

sidHistory=Yes

hostName=pdc-target2000:389

ldapUser=administrator

ldapDomain=target2000

ldapPsw=‘adminpswd’

[SourceDomains]

TRUST;S-1-5-21-750286249-1451910610-2033415169

If SIDHistory mapping is used but the source-target pairs are also listed, both the SIDHistory pairs and the explicitly set pairs are used.

NOTE: For troubleshooting purposes, you can enable extended logging. To do this, set the LogMask parameter value to 255 (default value is 15). Note that enabling extended logging may lead to the generation of huge log files.

Related Documents