#192322 - 2009-02-17 05:14 PM
NT4.0 Migration with Kix and GetSid
|
bekickst
Fresh Scripter
Registered: 2009-02-17
Posts: 6
Loc: Berlin Germany
|
Dear reader,
my hair grows white, my breath is shaky and I´m sitting over one of the oldest problems of windows mankind. After a successfull user migration from an NT4.0 Domain to a windows server 2003 domain, users log on to the new domain at their client workstations and get a maiden-like desktop as the winxp decided correctly that a new user logged on (as a new domain has been chosen). The sid-history of the user object doesn´t help here.
As the user accounts on the client workstations are stored in the registry with the sid and under that registry key the path to the user folder is stored, i thought it might be easy to find out the old SID from the NT4.0 Server and then correct the path for the user folder of the new domain. The new sid can be read out easy. So I tried to use the function getsid() from lligetfa, but it doesn´t work, as I donot have the ADSI SDK installed, which is not downloadable from microsoft annymore. Also I probably would have to register the ADsSecurity.DLL on every client to get the script to work. Which I can´t. Cause I don´t have it.
|
|
Top
|
|
|
|
#192361 - 2009-02-19 10:47 AM
Re: NT4.0 Migration with Kix and GetSid
[Re: Lonkero]
|
bekickst
Fresh Scripter
Registered: 2009-02-17
Posts: 6
Loc: Berlin Germany
|
The Active Directory Migration Toolkit transfers the user accounts from the old domain to the new one. Thereby it stores a SID-History with the new user accounts so that access authorization in the network are still functional with the new user accounts. Unfortunatly this seems not to work with the actual desktop settings. Sure you can still access secured stuff on the harddisk while logged on in the new domain, but winxp creates a new user folder and sid entry for the account in the registry. This results in new Desktop, Outlook and IE settings. So if you are not absolutely sure that this problem is solveable with the admt-tool please try to help me working on the script solution by finding out old and new SIDs from the domains. If you are sure on the other hand, please tell me where I´ve gone wrong in my virtual testing environment, cause it doesn`t keep up the desktop settings there. Thanks a lot for your answers. Kind regards, bekickst.
|
|
Top
|
|
|
|
|
#192365 - 2009-02-19 01:46 PM
Re: NT4.0 Migration with Kix and GetSid
[Re: bekickst]
|
BradV
Seasoned Scripter
Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
|
It's been a while since I used it, but I thought the ADMT included the user environment. If not, here is a script I wrote a little while ago to retrieve part of what you are after. At this site we use roaming profiles which are kept on the user's home drive. When they get corrupted, the norm is to move the old profile to a new directory name and create a new profile from scratch. This usually makes the customer unhappy because they have lost their drive mappings, printers, desktop, etc. Most of the people I work with wouldn't know how to find that information if they had to. So, I wrote a script to find all ntuser.dat files in a user's home drive. It presents that list and asks you to select one. It then does a temporary mount of the hive and retrieves as much information as possible and writes the results in an ini file on the desktop. You can always modify it to mount the user's new ntuser.dat also and write the information directly into it. This does not address outlook or IE. For outlook, I'm pretty sure you need a MS tool to get all of the pertinent information.
;NAME ntuser.kx
;
;DESCRIPTION This is a script to find an old ntuser.dat file
; for a given user and search it for printer and drive mappings.
;
;AUTHOR Brad Van Orden
;
;VERSION 1.0
;
;HISTORY Created 25 Apr 07
; 30 Apr 07 - Added in file time to display.
; 1 May 07 - Finished enumerating and reading mapped network drives.
; Added printer connections.
; 15 May 07 - Added in color scheme and screen saver information.
; 17 May 07 - Added in some error handling for not finding an ntuser.dat file.
; 8 Jun 07 - Added some more screen saver selections.
; Added some code to write all of the information to a text file.
;
Break On
;
Dim $SO
;
; These are just programming options for me.
; One forces me to define all variables and the
; other doesn't allow a kixtart macro within a string.
;
$SO = SetOption('Explicit', 'On')
$SO = SetOption('NoMacrosInStrings', 'On')
;
DIM $objUser, $strUser, $strDomain, $strHomeD, $strDAT, $temp
DIM $arrDAT[0,0], $intIndex, $intCounter, $strMesg, $intSelect
DIM $strKey, $intIndex2, $arrMap[1,0], $strDefP, $intDAT, $strClrSchm
DIM $strWallP, $arrTemp, $strScrnSName, $strProfD
DIM $strMQText, $strMQAtt, $strMQBC, $strMQCS, $strMQFont, $strMQMode, $strMQSz
DIM $strMQSpd, $strMQTextC, $strFile
DIM $arrScrn[1,0], $intI, $intErr, $strTemp
;
$strDomain = @LDOMAIN
;
While $strUser == ""
? "Please enter the login ID of the person:"
Gets $strUser
Loop
;
$objUser = GetObject("WinNT://" + $strDomain + "/" + $strUser + ",user")
If @ERROR <> 0
? "Could not find the user in active directory, " + $strUser
exit 1
EndIf
;
$strHomeD = $objUser.HomeDirectory
$strProfD = $strHomeD + "\_sys"
;
$arrDAT = FSearch($strProfD,"ntuser.dat")
If @ERROR = 2
? "Could not find an ntuser.dat file for this user."
exit 2
EndIf
;
$intIndex = Ubound($arrDat,2)
$strMesg = ""
For $intCounter = 0 to $intIndex
If $strMesg = ""
$strMesg = "Count" + Chr(9) + "Path" + Chr(9) + Chr(9) + Chr(9) + Chr(9) + Chr(9) + Chr(9) + Chr(9) + "FileName" + Chr(9) + Chr(9) + "Date"
EndIf
$strMesg = $strMesg + Chr(13) + $intCounter + Chr(9) + $arrDat[0,$intCounter] + Chr(9) + $arrDat[1,$intCounter] + Chr(9) + $arrDat[2,$intCounter]
Next
;
$intSelect = MessageBox($strMesg,"Click on OK and Make a Selection at the Command Prompt",4144)
$intDAT = -1
While $intDAT < 0 or $intDat > $intIndex
? "Enter your selection: "
Gets $intDAT
Loop
? "You selected, " + $intDAT
;
; Now read the data from the ntuser.dat file.
$intSelect = LoadHive("HKEY_USERS\Temp", $arrDat[0,$intDAT] + "\" + $arrDat[1,$intDAT])
If $intSelect = 0
; Start writing the data to a file.
$strFile = "C:\Documents and Settings\" + @userid + "\Desktop\" + $strUser + "_profdat.ini"
$intErr = WriteProfileString($strFile,"Home Path","homed",$strHomeD)
? "Home directory is: " + $strHomeD
$intErr = WriteProfileString($strFile,"Path Searched","HKU",$arrDat[0,$intDAT] + "\" + $arrDat[1,$intDAT])
? "ntuser.dat file examined is: " + $arrDat[0,$intDAT] + "\" + $arrDat[1,$intDAT]
;
; Hive is loaded, now read the data. This section will retrieve persistent drive mappings.
$intSelect = 0
$intIndex2 = 0
$strKey = EnumKey("HKEY_USERS\Temp\Network", $intSelect)
While @Error = 0
ReDim Preserve $arrMap[1,$intIndex2]
? "Found key: " + $strKey
$arrMap[0, $intIndex2] = $strKey
$arrMap[1, $intIndex2] = ReadValue("HKEY_USERS\Temp\Network\" + $strKey, "RemotePath")
? "Remote Path = " + $arrMap[1, $intIndex2]
$intErr = WriteProfileString($strFile,"Persistent Connections",$arrMap[0, $intIndex2],$arrMap[1, $intIndex2])
$intIndex2 = $intIndex2 + 1
$intSelect = $intSelect + 1
$strKey = EnumKey("HKEY_USERS\Temp\Network", $intSelect)
Loop
;
; Next, read printer information
; The default printer is found at HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Device
;
$strDefP = ReadValue("HKEY_USERS\Temp\Software\Microsoft\Windows NT\CurrentVersion\Windows","Device")
$strDefP = Substr($strDefP,1,Instr($strDefP,",")-1)
? "The default printer is: " + $strDefP
$intErr = WriteProfileString($strFile,"Printers","Default",$strDefP)
;
; Now get all of the mapped printers.
;
$intSelect = 0
$strKey = EnumKey("HKEY_USERS\Temp\Printers\Connections", $intSelect)
While @Error = 0
ReDim Preserve $arrMap[1,$intIndex2]
$temp = Split($strKey,",",4)
$arrMap[0, $intIndex2] = $temp[2]
$arrMap[1, $intIndex2] = $temp[3]
? "Found printer, " + $arrMap[1, $intIndex2] + ", through server, " + $arrMap[0, $intIndex2]
$intErr = WriteProfileString($strFile,"Printers",$arrMap[0, $intIndex2],$arrMap[1, $intIndex2])
$intIndex2 = $intIndex2 + 1
$intSelect = $intSelect + 1
$strKey = EnumKey("HKEY_USERS\Temp\Printers\Connections", $intSelect)
Loop
;
; Now check color scheme
$strClrSchm = ReadValue("HKEY_USERS\Temp\Control Panel\Current","Color Schemes")
If @ERROR = 0
? "Color scheme is set to: " + $strClrSchm
Else
? "Could not read the color scheme. Will set it to Windows Standard."
$strClrSchm = "Windows Standard"
EndIf
$intErr = WriteProfileString($strFile,"Desktop","Scheme",$strClrSchm)
;
; Check wallpaper
;
$strWallP = ReadValue("HKEY_USERS\Temp\Control Panel\Desktop","Wallpaper")
If @ERROR = 0
If $strWallP <> ""
? "Customer's wallpaper is set to: " + $strWallP
$intErr = WriteProfileString($strFile,"Desktop","paper",$strWallP)
Else
? "Customer does not have any wallpaper set."
$intErr = WriteProfileString($strFile,"Desktop","paper","none")
EndIf
Else
? "Had trouble reading the wallpaper value." + @SERROR
$strWallP = ""
EndIf
;
; Now check the screensaver.
;
$intSelect = 0
$arrScrn[0,$intSelect] = "SCRNSAVE.EXE"
$arrScrn[1,$intSelect] = ReadValue("HKEY_USERS\Temp\Control Panel\Desktop",$arrScrn[0,$intSelect])
If @ERROR = 0
If $arrScrn[1,$intSelect] <> ""
? "Customer's screen saver is set to: " + $arrScrn[1,$intSelect]
$intErr = WriteProfileString($strFile,"Desktop","screensaver",$arrScrn[1,$intSelect])
$arrTemp = Split($arrScrn[1,$intSelect],"\",-1)
$temp = Ubound($arrTemp)
$strScrnSName = $arrTemp[$temp]
Select
Case $strScrnSName = "ss3dfo.scr"
? "Customer is using the 3D flying object screen saver."
$strKey = "HKEY_USERS\Temp\Control Panel\Screen Saver.3DFlyingObj"
$temp = EnumSS($strKey,$arrScrn,$strFile)
Case $strScrnSName = "sspipes.scr"
? "Customer is using the 3D pipes screen saver."
$strKey = "HKEY_USERS\Temp\Control Panel\Screen Saver.3DPipes"
$temp = EnumSS($strKey,$arrScrn,$strFile)
Case $strScrnSName = "ssbezier.scr"
? "Customer is using the bezier curve screen saver."
$strKey = "HKEY_USERS\Temp\Control Panel\Screen Saver.Bezier"
$temp = EnumSS($strKey,$arrScrn,$strFile)
Case $strScrnSName = "ssmarque.scr"
? "Customer is using the marque screen saver."
$strKey = "HKEY_USERS\Temp\Control Panel\Screen Saver.Marquee"
$temp = EnumSS($strKey,$arrScrn,$strFile)
Case $strScrnSName = "ssmyst.scr"
? "Customer is using the mystify screen saver."
$strKey = "HKEY_USERS\Temp\Control Panel\Screen Saver.Mystify"
$temp = EnumSS($strKey,$arrScrn,$strFile)
Case $strScrnSName = "ssstars.scr"
? "Customer is using the stars screen saver."
$strKey = "HKEY_USERS\Temp\Control Panel\Screen Saver.Stars"
$temp = EnumSS($strKey,$arrScrn,$strFile)
EndSelect
Else
? "Customer does not have a screen saver set."
$intErr = WriteProfileString($strFile,"Desktop","screensaver","none")
EndIf
Else
? "Had trouble reading the screen saver value."
EndIf
; Finished reading hive. Need to unload it now.
$intSelect = UnLoadHive("HKEY_USERS\Temp")
If $intSelect <> 0
; Hive was not unloaded
? "Open regedit and check HKEY_USERS\Temp. It was not unloaded."
exit 3
EndIf
Else
? "Could not load the hive, " + $arrDat[0,$intIndex] + "\" + $arrDat[1,$intIndex]
exit 2
EndIf
Exit 0
;--------------------------------Functions------------------------------------
;
Function FSearch($strPath,$strPattern)
;
;NAME FSearch
;
;ACTION This function will search the given path to find files of the
; given pattern and will search sub-directories.
;
;AUTHOR Brad Van Orden
; I took inspiration and guidance from Bryce Lindsay's DIRPLUS function.
;
;VERSION 0.8
;
;HISTORY Created 25 Apr 07
; 15 May 07 Started adding checking for directory access is denied.
;
;SNYTAX FSearch($strPath,$strPattern)
;
;PARAMETERS strPath - The path to start the search from.
; strPattern - The pattern being searched.
;
;RETURNS An array. The sub-elements of each index will be:
; UNC
; file object - file name?
;DEPENDENCIES FSO
;
;EXAMPLE
;
DIM $strPathName, $strErr, $intErr, $strDate
DIM $strFile, $strFilName, $arrResults[2,], $i
;
$strPathName = CreateObject("Scripting.FileSystemObject").getfolder($strPath)
If @ERROR
? "There was an error getting the folder handle."
EndIf
$i = -1
For Each $strFile in $strPathName.subfolders
$strFilName = Dir($strFile + "\" + $strPattern)
$intErr = @ERROR
$strErr = @SERROR
Select
Case $intErr = 5
? "You did not have permission to view this directory:"
? $strFile
$strDate = GetFileTime($strFile)
? "It is dated: " + $strDate
? "If that is a directory you might want to examine, you need to repair the permissions on it."
Case $intErr = 2
; This directory did not have the matching pattern.
Case $intErr = 0
; A match was found.
While $strFilName <> ""
$i = $i + 1
ReDIM preserve $arrResults[2,$i]
$arrResults[0, $i] = $strFile
$arrResults[1, $i] = $strFilName
$arrResults[2, $i] = GetFileTime($strFile + "\" + $strPattern)
$strFilName = Dir()
Loop
Case 1
? "Error number, " + $intErr + ", was reported - " $strErr
EndSelect
Next
If Ubound($arrResults,2) < 0
exit 2
Else
$FSearch = $arrResults
EndIf
EndFunction
;
Function EnumSS($strKey,$arrScrn,$strFile)
;
;NAME EnumSS
;
;ACTION This function will query the registry for the given screen saver and
; return all of it's settings.
;
;AUTHOR Brad Van Orden
;
;VERSION 1.0
;
;HISTORY Created 8 Jun 07
; Added writing to the profile string.
;
;SNYTAX EnumSS($strKey)
;
;PARAMETERS strKey - The path to key to be searched.
;
;RETURNS An array. The sub-elements of each index will be:
; UNC
; file object - file name?
;DEPENDENCIES None
;
;EXAMPLE
;
Dim $intI, $strTemp, $intErr, $intSelect
;
$intI = 1
$strTemp = EnumValue($strKey,$intI)
$intErr = @ERROR
While $intErr = 0
$intSelect = $intSelect + 1
ReDim Preserve $arrScrn[1,$intSelect]
$arrScrn[0,$intSelect] = $strTemp
$arrScrn[1,$intSelect] = ReadValue($strKey,$arrScrn[0,$intSelect])
? "Value, " + $arrScrn[0,$intSelect] + ", is set to: " + $arrScrn[1,$intSelect]
$intErr = WriteProfileString($strFile,"Desktop",$arrScrn[0,$intSelect],$arrScrn[1,$intSelect])
$intI = $intI + 1
$strTemp = EnumValue($strKey,$intI)
$intErr = @ERROR
Loop
EndFunction
Hopefully, this is part of what you are looking for.
Regards,
Brad
|
|
Top
|
|
|
|
|
#192372 - 2009-02-19 03:47 PM
Re: NT4.0 Migration with Kix and GetSid
[Re: Shawn]
|
bekickst
Fresh Scripter
Registered: 2009-02-17
Posts: 6
Loc: Berlin Germany
|
Dear Brad.
I´m really stunned by your script and I´m allmost sure I´m going to work through it in a fuzzy distant future. Especially because I believe Shawn gave me the right hint in just one sentence  . Thanks Shawn, I´oversaw the security translation wizard in the ADMT and I´m testing it now. I´ll tell you if id worked. Thanks Brad for your work. I´ll let you know, how everything worked out.
Kind Regards, Bekickst.
|
|
Top
|
|
|
|
|
#192374 - 2009-02-19 03:57 PM
Re: NT4.0 Migration with Kix and GetSid
[Re: bekickst]
|
bekickst
Fresh Scripter
Registered: 2009-02-17
Posts: 6
Loc: Berlin Germany
|
It works, it´s the security translation wizard that has to be run on the workstations and or servers to translate the old SIDs in the ACLs to the new ones. That comes a little bit like a double treat with the SID-history, that allows users to access data with old SIDs, but annyway, it´s functional. And I donot have to write a script :).
Thanks a lot to everyone for his (her) help.
Regards, Bekickst.
|
|
Top
|
|
|
|
Moderator: Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart
|
0 registered
and 581 anonymous users online.
|
|
|
