Moving personal data folders from one server to another

[Guest Jim in Arizona]

We have a server that we're getting ready to decommision. We bougt a new

server with a few TB of space on it.

 

Our network uses Active Directory (server 2003) to keep everyone's personal

data folders (My Documents, Desktop, Application Data, Start Menu) on a

share on the server we're getting ready to decommision. The Active Directory

settings are on an OU level under "User Configuration/Windows

Settings/Folder Redirection". This works great however the problem has to do

with moving the personal folders from the share on the old server to the

share on the new server.

 

The security on the folders under each users AD username is set to them

only. This is preventing me from copying the folders over to the new share.

 

Yes, of course I could take ownership but I would have to do this for at

least three folders individually per individual user account. This would be

taking ownership over potentially thousands of fodlers, one by one, and

setting new permissions on them all, one by one.

 

Is there a better way to do this? I sure hope so.

 

TIA,

Jim

[Guest Pegasus \(MVP\)]

Re: Moving personal data folders from one server to another

 

 

"Jim in Arizona" <tiltowait@hotmail.com> wrote in message

news:OH9BjrDEIHA.4028@TK2MSFTNGP05.phx.gbl...

> We have a server that we're getting ready to decommision. We bougt a new

> server with a few TB of space on it.

>

> Our network uses Active Directory (server 2003) to keep everyone's

> personal data folders (My Documents, Desktop, Application Data, Start

> Menu) on a share on the server we're getting ready to decommision. The

> Active Directory settings are on an OU level under "User

> Configuration/Windows Settings/Folder Redirection". This works great

> however the problem has to do with moving the personal folders from the

> share on the old server to the share on the new server.

>

> The security on the folders under each users AD username is set to them

> only. This is preventing me from copying the folders over to the new

> share.

>

> Yes, of course I could take ownership but I would have to do this for at

> least three folders individually per individual user account. This would

> be taking ownership over potentially thousands of fodlers, one by one, and

> setting new permissions on them all, one by one.

>

> Is there a better way to do this? I sure hope so.

>

> TIA,

> Jim

>

 

Are you saying that the "Domain Admins" group has no access

to these folders?

[Guest Jim in Arizona]

Re: Moving personal data folders from one server to another

 

> Are you saying that the "Domain Admins" group has no access

> to these folders?

 

NO. IN fact, I can't even read the permissions (unless the folder is my

own).

 

Each individual user as a folder with their name (ie: jsmith), within that

are three folders: Application Data, Destkop and My Documents. It's those 3

folders that have the strict permissioning set on them.

 

When I view the folders with my name on, the permissions are set to me and

System. This appears to be the default security permissions when folder

redirection is set using AD GP.

 

Looking further thorughout the web and doing a little experimention, it

appears that I can use NTBACKUP to get the job done, which will also retain

the permissions when I restore the file on the new server. I have found no

other way of doing it otherwise.

[Guest Pegasus \(MVP\)]

Re: Moving personal data folders from one server to another

 

 

"Jim in Arizona" <tiltowait@hotmail.com> wrote in message

news:u3eXhSEEIHA.1208@TK2MSFTNGP03.phx.gbl...

>> Are you saying that the "Domain Admins" group has no access

>> to these folders?

>

> NO. IN fact, I can't even read the permissions (unless the folder is my

> own).

>

> Each individual user as a folder with their name (ie: jsmith), within that

> are three folders: Application Data, Destkop and My Documents. It's those

> 3 folders that have the strict permissioning set on them.

>

> When I view the folders with my name on, the permissions are set to me and

> System. This appears to be the default security permissions when folder

> redirection is set using AD GP.

>

> Looking further thorughout the web and doing a little experimention, it

> appears that I can use NTBACKUP to get the job done, which will also

> retain the permissions when I restore the file on the new server. I have

> found no other way of doing it otherwise.

>

 

From what you report it appears that the only accounts that

have access to the user's folder are

a) The user's own account

b) The System account

with the user presumably being the owner. This is a most

unusual setting. Since you appear the run ntbackup.exe as

a scheduled job under the System account, it would be able

to access the folders.

 

I can see two ways for you to transfer the data to the new

server:

- Change the permissions so that domain admins can access it, or

- Create a scheduled task under the system account that copies

the files to a suitable transfer medium, e.g. a portable disk. This

task could use ntbackup.exe, xcopy.exe or robocopy.exe.

The latter two have switches that will copy the ACLs.

Ntbackup.exe automatically copies ACLs.

 

Note that it is not the COMMAND that determines access

rights but the ACCOUNT under which it is run.

[Guest Jim in Arizona]

Re: Moving personal data folders from one server to another

 

 

"Pegasus (MVP)" <I.can@fly.com> wrote in message

news:eY3Lr6HEIHA.4544@TK2MSFTNGP06.phx.gbl...

>

> From what you report it appears that the only accounts that

> have access to the user's folder are

> a) The user's own account

> b) The System account

> with the user presumably being the owner. This is a most

> unusual setting. Since you appear the run ntbackup.exe as

> a scheduled job under the System account, it would be able

> to access the folders.

>

> I can see two ways for you to transfer the data to the new

> server:

> - Change the permissions so that domain admins can access it, or

> - Create a scheduled task under the system account that copies

> the files to a suitable transfer medium, e.g. a portable disk. This

> task could use ntbackup.exe, xcopy.exe or robocopy.exe.

> The latter two have switches that will copy the ACLs.

> Ntbackup.exe automatically copies ACLs.

>

> Note that it is not the COMMAND that determines access

> rights but the ACCOUNT under which it is run.

 

It would seem that when you set up folder redirection in an AD group policy,

the folders on the share that is specified are created with only the user

and system having access rights to the My Documents, Desktop and Application

Data folders (and the start menu if that was also redirected).

 

ntbackup was successful in backing up, then restoring everyone's individual

folders to the new server location. ntbackup was ran with a domain admin

account.

 

The security settings on the individual folders are the way they're suppose

to be, as far as I know. No other settings were changed when setting up

folder redirection.

 

I just ran a test. I ran ntbackup as a domain admin on the server where

users's folders are. These folders have the security permissions mentioned

above where only the user and system are able to gain access and I can't

even READ the permissions (unless its my own folders). I used ntbackup to

backup the users folder (and all folders/files within). I then moved the bkf

file over to my workstation and performed a restore of the backup. In the

advanced options, I chose a new location (my C Drive) and chose not to

retore security settings/permissions on the restore. Once the restore was

done, I was able to access all folders/files within with no problem. At

least regular users don't have such capabilities (I checked).

[Guest Pegasus \(MVP\)]

Re: Moving personal data folders from one server to another

 

 

"Jim in Arizona" <tiltowait@hotmail.com> wrote in message

news:eeYCcHOEIHA.4956@TK2MSFTNGP06.phx.gbl...

>

> "Pegasus (MVP)" <I.can@fly.com> wrote in message

> news:eY3Lr6HEIHA.4544@TK2MSFTNGP06.phx.gbl...

>>

>> From what you report it appears that the only accounts that

>> have access to the user's folder are

>> a) The user's own account

>> b) The System account

>> with the user presumably being the owner. This is a most

>> unusual setting. Since you appear the run ntbackup.exe as

>> a scheduled job under the System account, it would be able

>> to access the folders.

>>

>> I can see two ways for you to transfer the data to the new

>> server:

>> - Change the permissions so that domain admins can access it, or

>> - Create a scheduled task under the system account that copies

>> the files to a suitable transfer medium, e.g. a portable disk. This

>> task could use ntbackup.exe, xcopy.exe or robocopy.exe.

>> The latter two have switches that will copy the ACLs.

>> Ntbackup.exe automatically copies ACLs.

>>

>> Note that it is not the COMMAND that determines access

>> rights but the ACCOUNT under which it is run.

>

> It would seem that when you set up folder redirection in an AD group

> policy, the folders on the share that is specified are created with only

> the user and system having access rights to the My Documents, Desktop and

> Application Data folders (and the start menu if that was also redirected).

>

> ntbackup was successful in backing up, then restoring everyone's

> individual folders to the new server location. ntbackup was ran with a

> domain admin account.

>

> The security settings on the individual folders are the way they're

> suppose to be, as far as I know. No other settings were changed when

> setting up folder redirection.

>

> I just ran a test. I ran ntbackup as a domain admin on the server where

> users's folders are. These folders have the security permissions mentioned

> above where only the user and system are able to gain access and I can't

> even READ the permissions (unless its my own folders). I used ntbackup to

> backup the users folder (and all folders/files within). I then moved the

> bkf file over to my workstation and performed a restore of the backup. In

> the advanced options, I chose a new location (my C Drive) and chose not to

> retore security settings/permissions on the restore. Once the restore was

> done, I was able to access all folders/files within with no problem. At

> least regular users don't have such capabilities (I checked).

>

 

Thanks for the feedback. If this was my own server then I would

probe further why ntbackup.exe should be able to access the

users' folders when you can't. What you report is totally at variance

with my understanding of permissions - they are always account-

specific, never tool-specific.