Chat now with support
Chat with Support

On Demand Migration Current - Active Directory User Guide

Device ReACL Profiles

What is a Device ReACL Profile?  

A Device ReACL Profile is a collection of ReACL related settings which can be defined once and then applied to multiple Devices.

 

What is the default Device ReACL Profile used for?  

The default Device ReACL Profile is used if a different profile is not defined and set on a Device. The default Device ReACL Profile can be edited.

 

How are Device ReACL Profiles created?  

To create a Device ReACL profile:

  1. On the Device ReACL section of the Profiles page, click the Add button. The Add Your Device ReACL Profile window appears.

  2. In the Profile Name field, enter a name to identify this Device ReACL Profile.

  3. Select a Logging Level, either Informational (default) or Debugging.

  4. Select the desired components to process.

    • Local Files/Folders: Selected by default.
    • Registry Permissions: Selected by default.
    • User Profiles: Selected by default.
    • Local Group Memberships: Selected by default.
    • Local Printer Permissions: Selected by default.
    • Network Share Permissions: Selected by default.
    • Printer Share Permissions: Selected by default.
    • Roaming Profiles: Unselected by default.

      Note: If you select Roaming Profiles, users must be logged out of their roaming profiles during the ReACL process.

    • Windows Services: Selected by default. The Windows Services option will ensure that any source domain accounts that were given permission to a service will include the corresponding matched target domain account after a ReACL process.
    • Windows Service Accounts: Unselected by default. We recommend that the Windows Service Accounts box is left UNCHECKED. A change in the ACL of the service accounts of the target may have an impact on the applications currently running. Although the ReACL process can usually be rolled back in case of issues, there could be a temporary disruption in service until that can be resolved. Selecting the Windows Service Accounts box will switch the domain account that Windows services are running under to the corresponding matched target domain account after a completed ReACL process.
    • User Rights Assignments: Unselected by default.
    • System ACLs: Selected by default. The System ACLs option allows for the proper translation of accounts within the security audit logs.
    • Preserve the "Archive" Bit: Unselected by default. If the Preserve the "Archive" Bit box is left unchecked, the archive bit will be reset. If checked, the archive bit will not be reset.
  5. Click Next.

  6. Normally all files and folders are included in the ReACL process. If it is preferred to provide a specific list, enter the list in the Only Process the Following and Their Subfolders box. Separate each entry by pressing Enter. You may use just a file path starting with backslashes, or provide an exact drive letter. If a drive letter is provided, the ReACL is limited to that exact path.

    Note that if you choose to list folders here, these are the ONLY folders that will be included in the ReACL process. (The exception is if you selected the User Profiles component on the previous screen: those profiles would then always be included automatically in addition to your list specified here.)

  7. In the Exclude These Paths From Processing box, enter folder paths that will not be included in the ReACL process. Wild card characters (‘*’ matches zero or more characters and ‘?’ matches any single character) can be used when specifying excluded folders. Separate the paths by pressing Enter. By default, the following folders are excluded:

    • \Windows
    • \WINNT
    • \I386
    • \Windows\I386
    • \Program Files
    • \PROGRAM FILES (x86)
    • \MSOCACHE
    • \System Volume Information
    • \Recycler
    • \$RECYCLE.BIN
    • \CONFIG.MSI
    • \RECOVERY
    • \OEM
    • \Quarantine
    • \BOOT
    • \ProgramData\Microsoft\Windows Defender

  8. In the Exclude These Files From Processing box, enter files that will not be included in the ReACL process. A leading '\' is not necessary. Wild card characters (‘*’ matches zero or more characters and ‘?’ matches any single character) can be used when specifying excluded files. Separate the files by pressing Enter. The following wild card characters are permitted when specifying files:

    • * matches zero or more characters in a file name, but not the '\' path delimiter.
    • ? matches any single character.
    • ** matches zero or more parent directories.

    Examples:

    • FileToSkip.dat – a single file in the root directory
    • \FolderToProcess\ExcludedFIle.sys – a single file in the FolderToProcess directory
    • \FolderToProcess\**\*.dat – all .dat files anywhere under the FolderToProcess directory
  9. In the Exclude These Registry Keys From Processing box, enter registry keys that will not be included in the ReACL process. A leading '\' is not necessary. Separate the keys by pressing Enter. The following wild card characters are permitted when specifying registry keys:

    • * matches zero or more characters in a key name, but not the '\' path delimiter.
    • ? matches any single character.
    • ** matches zero or more parent keys.

    Examples:

    • HKEY_LOCAL_MACHINE\SOFTWARE\XYZ – a single key
    • HKEY_LOCAL_MACHINE\SOFTWARE\XY* – all keys starting with "XY" in HKEY_LOCAL_MACHINE\SOFTWARE
    • HKEY_LOCAL_MACHINE\SOFTWARE\?YZ – all 3-character keys ending with "YZ" in HKEY_LOCAL_MACHINE\SOFTWARE
    • HKEY_LOCAL_MACHINE\**\XYZ – all keys named "XYZ" anywhere under HKEY_LOCAL_MACHINE
    • **\XYZ – all keys named "XYZ" in any registry hive
  10. In the Exclude These Security Identifiers From Processing box, enter SIDS that will not be included in the ReACL process. Separate the SIDs by pressing Enter.

  11. Click Next.

  12. The Reparse Point Processing Rules page appears. Reparse Points like Symbolic Links, Mount Points, and OneDrive folders will be processed by ReACL. Additional Reparse Tags can be added to the rules list in the Advanced view to change how ReACL will process those items. Click the Show Advanced button to edit the rules list.

    When Show Advanced is clicked the rules list is displayed. Additional Reparse Points can added to the list in the "ReparseTag:Action" format. Skip, Recurse, Update, and Full are the available actions. Separate rules by pressing Enter.

    1. Click Next.

    2. Select an option from the Elevated Permissions Failure Action drop-down list to choose the action that should be taken if the ReACL process encounters permissions elevation errors.

      In order to successfully adjust permissions, Active Directory must create a process with a security token that has been assigned additional permissions. The token is said to have elevated rights/permissions. If this process fails, it is likely that the ReACL will be largely unsuccessful in updating the operating system for use by target user accounts.

      • The default is Terminate processing with fatal error, this means the ReACL job for a Device is stopped if a permissions elevation error occurs. This is a time-saving option. The ReACL Status will be Failed in the Devices + Servers table. A Device cannot be Cutover if the ReACL Status is Failed. This is the recommended setting.
      • If you choose Log informational entry, an info entry will be logged if a permissions elevation error occurs. If no other errors are encountered the ReACL job will complete as successful and the ReACL Status will be Completed in the Devices + Servers table. This choice allows experienced migration architects to analyze the logs and choose to proceed with Cutover based on their analysis of the results. We suggest choosing “Log warning entry” rather than “Log informational entry” as that will make the entries easier to locate in the log.
      • If you choose Log warning entry, a warning entry will be logged if a permissions elevation error occurs. If no other errors are encountered the ReACL job will complete as successful and the ReACL Status will be Completed in the Devices + Servers table. This choice allows experienced migration architects to analyze the logs and choose to proceed with Cutover based on their analysis of the results.
      • If you choose Log error entry, an error entry will be logged if a permissions elevation error occurs. The ReACL job will continue, but the ReACL Status will be Failed in the Devices + Servers table. This selection may take significantly more time than "Terminate processing with fatal error" because the entire process will attempt to finish before reporting as Failed.
  1. Select an option from the Profile Failure Action drop-down list to choose the action that should be taken when an invalid or duplicate profile exists in the target.
    • The default is Terminate processing with fatal error, this means the ReACL process for a Device is stopped if an invalid or duplicate profile error occurs. This is a time-saving option. The ReACL Status will be Failed in the Devices + Servers table. A Device cannot be Cutover if the ReACL Status is Failed. This is the recommended setting.
    • If you choose Log informational entry, an info entry will be logged if an invalid or duplicate profile error occurs. If no other errors are encountered the ReACL job will complete as successful and the ReACL Status will be Completed in the Devices + Servers table. This choice allows experienced migration architects to analyze the logs and choose to proceed with Cutover based on their analysis of the results. We suggest choosing “Log warning entry” rather than “Log informational entry” as that will make the entries easier to locate in the log.
    • If you choose Log warning entry, a warning entry will be logged if an invalid or duplicate profile error occurs. If no other errors are encountered the ReACL job will complete as successful and the ReACL Status will be Completed in the Devices + Servers table. This choice allows experienced migration architects to analyze the logs and choose to Cutover based on their analysis of the results.
    • If you choose Log error entry, an error entry will be logged if an invalid or duplicate profile error occurs. The ReACL job will continue and then complete as Failed and the ReACL Status on the Devices + Servers table will be Failed. This selection may take significantly more time than "Terminate processing with fatal error" because the entire process will attempt to finish before reporting as Failed.
    1. Select an option from the Preserve Rollback Metadata in ACLs drop-down list.

      Active Directory can leave behind metadata during the ReACL process to allow seamless rollback of the process if needed. This setting controls the creation of this metadata which is later removed during the Cleanup process.

      • The default is Always - Keep source security principles and does not affect performance. We recommend this setting. This is the only setting where the changes performed by the ReACL process can be rolled back, or undone, in all scenarios.

      • If you choose Only If Ambiguous - Keep source security principles when necessary, metadata will only be included when the rollback settings would be ambiguous. “Only If Ambiguous” results in the inclusion of less metadata, preserving usage for times when it may be impossible to determine the original file or folder permissions. For example, when users have accounts in multiple domains that will be consolidated into a single domain.

        Note that Only If Ambiguous guarantees that a ReACL can be rolled back to the original state only when the file system permissions remained unchanged. Modification of ACLs on the file system could create a state where a rollback cannot complete with 100% success. To ensure the ability to perform a ReACL Rollback in all scenarios, Always should be selected.

      • If you are an experienced migration architect, you may choose Never - Replace source security principles to never include metadata.

        Note: If Never is selected, a complete ReACL Rollback may not be possible.

    1. Select Yes under Run Processing in Simulation Mode to simulate the results of the ReACL process without actually making any changes to the ACLs. Visit the logs/reports to determine if there are any potential issues and correct them before changing this setting to No and running an actual ReACL process. Alternatively, you might use this setting to create a separate Device ReACL Profile specifically for testing purposes.
    2. Click Save Profile. The new Device ReACL Profile is added to the list.

File Share ReACL Profiles

What is a File Share ReACL Profile?  

A File Share ReACL Profile is a collection of ReACL related settings for File Shares which can be defined once and then applied to multiple File Shares.

 

What is the purpose of the default File Share ReACL Profile?  

The default File Share ReACL Profile is used if a different profile is not defined and set on the File Share. The default File Share ReACL Profile can be edited.

 

How are File Share ReACL Profiles created?  

To add a File Share ReACL profile:

  1. On the File Share ReACL section of the Profiles page, click the Add button. The Add Your File Share ReACL Profile window appears.
  2. In the Profile Name field, enter a name to identify this File Share ReACL Profile.
  3. Select a Logging Level, either Informational (default) or Debugging.
  4. Enter the network errors that will trigger a retry in the Retry If the Following Error Codes Are Encountered box. By default, errors 53 and 64 will trigger a retry.
  5. Enter the number of retries to attempt on a network error in the Retry Count field. The default retry count is 10 times.
  6. Enter the number of seconds to wait between retries on a network error in the Retry Interval field. The default interval is 1 second.
  7. Click Next.
  8. Select the components to process.

    By default the System ACLs and Roaming Profiles will be processed. If the Preserve the "Archive" Bit box is left unchecked, the archive bit will be reset. If checked, the archive bit will not be reset.

  9. In the Exclude These Paths From Processing box, enter folder paths that will not be included in the ReACL process. Wild card characters (‘*’ matches zero or more characters and ‘?’ matches any single character) can be used when specifying excluded folders. Separate the paths by pressing Enter. By default, the following folders are excluded:

    • \Windows
    • \WINNT
    • \I386
    • \Windows\I386
    • \Program Files
    • \PROGRAM FILES (x86)
    • \MSOCACHE
    • \System Volume Information
    • \Recycler
    • \$RECYCLE.BIN
    • \CONFIG.MSI
    • \RECOVERY
    • \OEM
    • \Quarantine
    • \BOOT
    • \ProgramData\Microsoft\Windows Defender
  10. In the Exclude These Files From Processing box, enter files that will not be included in the ReACL process. A leading '\' is not necessary. Wild card characters (‘*’ matches zero or more characters and ‘?’ matches any single character) can be used when specifying excluded files. Separate the files by pressing Enter. The following wild card characters are permitted when specifying files:

    • * matches zero or more characters in a file name, but not the '\' path delimiter.
    • ? matches any single character.
    • ** matches zero or more parent directories.

    Examples:

    • FileToSkip.dat – a single file in the root directory
    • \FolderToProcess\ExcludedFIle.sys – a single file in the FolderToProcess directory
    • \FolderToProcess\**\*.dat – all .dat files anywhere under the FolderToProcess directory
  11. In the Exclude These Registry Keys From Processing box, enter registry keys that will not be included in the ReACL process. A leading '\' is not necessary. Separate the keys by pressing Enter. The following wild card characters are permitted when specifying registry keys:

    • * matches zero or more characters in a key name, but not the '\' path delimiter.
    • ? matches any single character.
    • ** matches zero or more parent keys.

    Examples:

    • HKEY_LOCAL_MACHINE\SOFTWARE\XYZ – a single key
    • HKEY_LOCAL_MACHINE\SOFTWARE\XY* – all keys starting with "XY" in HKEY_LOCAL_MACHINE\SOFTWARE
    • HKEY_LOCAL_MACHINE\SOFTWARE\?YZ – all 3-character keys ending with "YZ" in HKEY_LOCAL_MACHINE\SOFTWARE
    • HKEY_LOCAL_MACHINE\**\XYZ – all keys named "XYZ" anywhere under HKEY_LOCAL_MACHINE
    • **\XYZ – all keys named "XYZ" in any registry hive
  12. In the Exclude These Security Identifiers From Processing box, enter SIDs that will not be included in the ReACL process. Separate the SIDs by pressing Enter.

  13. Click Next.
  14. The Reparse Point Processing Rules page appears. Reparse Points like Symbolic Links, Mount Points, and OneDrive folders will be processed by ReACL. Additional Reparse Tags can be added to the rules list in the Advanced view to change how ReACL will process those items. Click the Show Advanced button to edit the rules list.

    When Show Advanced is clicked the rules list is displayed. Additional Reparse Points can added to the list in the "ReparseTag:Action" format. Skip, Recurse, Update, and Full are the available actions. Separate rules by pressing Enter.

  15. Click Next.
  16. Select an option from the Elevated Permissions Failure Action drop-down list to choose the action that should be taken if the ReACL process encounters permissions elevation errors.

    In order to successfully adjust permissions, Active Directory must create a process with a security token that has been assigned additional permissions. The token is said to have elevated rights/permissions. If this process fails, it is likely that the ReACL will be largely unsuccessful in updating the operating system for use by target user accounts.

    • The default is Terminate processing with fatal error, this means the ReACL job for a File Share is stopped if a permissions elevation error occurs. This is a time-saving option. The ReACL Status will be Failed in the File Shares + Network Storage table. This is the recommended setting.
    • If you choose Log informational entry, an info entry will be logged if a permissions elevation error occurs. If no other errors are encountered the ReACL job will complete as successful and the ReACL Status will be Completed in the File Shares + Network Storage table. This choice allows experienced migration architects to analyze the logs and choose to proceed with Cutover based on their analysis of the results. We suggest choosing “Log warning entry” rather than “Log informational entry” as that will make the entries easier to locate in the log.
    • If you choose Log warning entry, a warning entry will be logged if a permissions elevation error occurs. If no other errors are encountered the ReACL job will complete as successful and the ReACL Status will be Completed in the File Shares + Network Storage table. This choice allows experienced migration architects to analyze the logs and choose to proceed with Cutover based on their analysis of the results.
    • If you choose Log error entry, an error entry will be logged if a permissions elevation error occurs. The ReACL job will continue, but the ReACL Status will be Failed in the File Shares + Network Storage table. This selection may take significantly more time than "Terminate processing with fatal error" because the entire process will attempt to finish before reporting as Failed.
  17. Select an option from the Preserve Rollback Metadata in ACLs drop-down list.

    Active Directory can leave behind metadata during the ReACL process to allow seamless rollback of the process if needed. This setting controls the creation of this metadata which is later removed during the Cleanup process.

    • The default is Always - Keep source security principles which does not affect performance. We recommend this setting. This is the only setting where the changes performed by the ReACL process can be rolled back, or undone, in all scenarios.

    • If you choose Only If Ambiguous - Keep source security principles when necessary, metadata will only be included when the rollback settings would be ambiguous. Only If Ambiguous results in the inclusion of less metadata, preserving usage for times when it may be impossible to determine the original file or folder permissions. For example, when users have accounts in multiple domains that will be consolidated into a single domain.

      Note that Only If Ambiguous guarantees a ReACL can be rolled back to the original state only when the file system permissions remained unchanged. Modification of ACLs on the file system could create a state where a rollback cannot complete with 100% success. To ensure the ability to perform a ReACL Rollback in all scenarios, Always should be selected.

    • If you are an experienced migration architect, you may choose Never - Replace source security principles to never include metadata.

      Note: If Never is selected, a complete rollback may not be possible.

  18. Select Yes under Run Processing in Simulation Mode) to simulate the results of the ReACL process without actually making any changes to the ACLs. Visit the logs/reports to determine if there are any potential issues and correct them before changing this setting to No and running an actual ReACL process. Alternatively, you might use this setting to create a separate File Share ReACL Profile specifically for testing purposes.

  19. Click Save Profile. The new File Share ReACL Profile is added to the list.

Microsoft Entra ID Join Profiles

What is an Microsoft Entra ID Join Profile?

A Microsoft Entra ID Join Profile is a collection of settings used to manage the Azure join process during Device Cutover which can be defined once and then applied to multiple Devices. Microsoft Entra ID Join Profiles are used for AD to Azure device migrations.

 

How are Microsoft Entra ID Join Profiles created?

To add an Microsoft Entra ID Join Profile:

  1. On the Microsoft Entra ID Join section of the Profiles page, Click the Add button. The Add Your Microsoft Entra ID Join Profile window appears.
  2. Enter a Profile Name to identify this Microsoft Entra ID Join Profile.
  3. Enter a value in the following field:
  • Bulk Enrollment Package File Name - The name of the Azure bulk enrollment package in packagename.ppkg format, which has been created by the client administrator using the Windows Configuration Designer and copied to the network share defined in the Azure Bulk Enrollment Repository

  1. Select an option from the following drop-down list:
  • Target Environment – The cloud-only Azure environment associated with the Azure bulk enrollment package used in this Profile

  1. Select a Device Name Option:
  • If you choose Device Name Defined Per Provisioning Package, the device will be migrated to Azure using the dynamic naming convention configured in the Azure bulk enrollment package used in this Profile

  • If you choose Keep Original Device Name, the dynamic name assigned by the Azure bulk enrollment package will be overwritten and replaced with the original device name when migrating to Azure

  1. Select the Enroll Into Intune Management option to enroll the device for Intune management with the first logged on user after cutover as the PrimaryUser.
  2. Select the Intune Cleanup option to clear existing Intune provisioning information from the device as part of the cutover.
  3. Select the Auto-Pilot Cleanup option to clear existing Auto-Pilot provisioning information from the device as part of the cutover.
  4. Select the Active Directory Joined or Hybrid Microsoft Entra ID Joined option if you wish to include Active Directory Joined or Hybrid Microsoft Entra ID Joined devices.
  5. Enter values in the following fields under Source Domain Credentials:
  • FQDN of Domain - The domain FQDN of the source in source.domain.com format.

  • Username - The username to access the source domain in domain\username or UPN (username@domain.com) format.

  • Password - The password credential to access the source domain.

  1. Under Preflight Check Validation, select the Skip Source Local Active Directory Validation option to not validate the source local Active Directory.
  2. To add a new user to the local admin group, select the Create Local Admin option and enter a Username and Password for the new user.
  3. Click Save Profile. The Microsoft Entra ID Join Profile is added to the list.

Credential Profiles

What is a Credential Profile?  

A Credential Profile is a set of source and target domain credentials used for Cutover which can be defined once and then applied to multiple Devices.

 

How are Credential Profiles created?  

The specified credentials must be able to join and disjoin a computer from the specified domain as well as disable a computer in the specified domain. A trust between the source and target domain is not required.

To add a Credential Profile:

  1. On the Credentials section of the Profiles page, Click the Add button. The Add Your Credentials Profile window appears.
  2. Enter a Credential Name to identify this Credentials Profile.

  1. Enter values in the following fields under Source Domain Credentials:
  • FQDN of Domain - The domain FQDN of the source in source.domain.dom format.

  • Username - The username to access the source domain in domain\username or UPN (username@domain.dom) format.

  • Password - The password credential to access the source domain.

  1. Enter values in the following fields under Target Domain Credentials
  • FQDN of Domain - The domain FQDN of the target in target.domain.dom format.

  • Username - The username to access the target domain in domain\username or UPN (username@domain.dom) format.

  • Password - The password credential to access the target domain.

  1. Click Save Profile. The Credential Profile is added to the list.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating