ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Domain Migration
  New Posts New Posts RSS Feed - Using GPO to run logon script
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Using GPO to run logon script

 Post Reply Post Reply Page  12>
Author
Message
hsofteng View Drop Down
Newbie
Newbie


Joined: 26 Mar 2014
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote hsofteng Quote  Post ReplyReply Direct Link To This Post Topic: Using GPO to run logon script
    Posted: 26 Mar 2014 at 9:10am
Hi,
I'm trying to migrate all profiles on all pc's/laptop's to a new domain. I have followed the user guide and have created a vbs and config file - I've added all files to Group policy and told it to run the vbs file, but nothing seems to happen.

What am I doing wrong?
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 27 Mar 2014 at 3:18am
Hi,

The general guidelines are as follows:

1. Use a single deployment file rather than using separate migration files (Migrate.vbs, Profwiz.config, etc.)

2. Run the migration from a computer Group Policy not a user group policy. Because of this...

3. The migration will run under the SYSTEM account so make sure <LocalAdmin> and <LocalPwd> are blank in Profwiz.config
Back to Top
hsofteng View Drop Down
Newbie
Newbie


Joined: 26 Mar 2014
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote hsofteng Quote  Post ReplyReply Direct Link To This Post Posted: 27 Mar 2014 at 5:39am
Thanks for this information - so apparently the script has now run but I'm still only seeing the original users - not users for the new domain. How can I tell if the script has run properly?
Back to Top
hsofteng View Drop Down
Newbie
Newbie


Joined: 26 Mar 2014
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote hsofteng Quote  Post ReplyReply Direct Link To This Post Posted: 27 Mar 2014 at 6:57am
The log is showing the following..

Licensed to S***** Ltd (50 Seats) Serial No. 917F2A69
Copyright (c) 2002-2013 ForensiT Ltd
www.ForensiT.com

The migration service already exists.
Starting migration service... Done.
Machine is not joined to the OLDNAME domain.
Attempting to resolve user SID... Fails.
Attempting to resolve user SID... Fails.
Attempting to resolve user SID... Fails.
Attempting to resolve user SID... Fails.
Finding Domain Controller for domain NEW.domain... Done.
Using Domain Controller: \\server.NEW.domain.
Binding to Active Directory... Done.
Joining to domain "NEW.domain" ... Fails.
Error 1219. Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
No OLDNAME domain account profiles were found.
Migration Fails.

Edited by hsofteng - 27 Mar 2014 at 8:27am
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 27 Mar 2014 at 8:27am
The migration needs to be run from a Group Policy on the old domain.
Back to Top
hsofteng View Drop Down
Newbie
Newbie


Joined: 26 Mar 2014
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote hsofteng Quote  Post ReplyReply Direct Link To This Post Posted: 27 Mar 2014 at 8:29am
I thought profwiz didn't need access to the old domain?!
I have the new server in a test environment with one laptop from the old domain - the old domain controller is not available.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 27 Mar 2014 at 9:26am
User Profile Wizard does not need access to the old domain to migrate the profile, but some deployment methods are more appropriate than others given different scenarios.

If you really want to use a Group Policy from the new domain, you will need to use a custom migration script. See the "EnumSIDs.vbs" script in the Sample Migration Scripts collection on the Support Downloads page. You will need to modify the script for your own environment - see the Readme file.
Back to Top
hsofteng View Drop Down
Newbie
Newbie


Joined: 26 Mar 2014
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote hsofteng Quote  Post ReplyReply Direct Link To This Post Posted: 28 Mar 2014 at 7:18am
Ok, so I've edited the enumSIDs.vbs and put that in the startup script folder along with the .exe and the .config file.

This is what I now get from the log file

ForensiT User Profile Wizard v3.7.1190
Licensed to S***** Ltd (50 Seats) Serial No. 917F2A69
Copyright (c) 2002-2013 ForensiT Ltd
www.ForensiT.com

Creating migration service... Done.
Starting migration service... Done.
Machine is not joined to the oldname domain.
Finding Domain Controller for domain new.domain... Done.
Using Domain Controller: \\server.new.domain.
Binding to Active Directory... Done.
Joining to domain "new.domain" ... Fails.
Error 1219. Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
Migration Fails.
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 31 Mar 2014 at 3:21am
The are two things that are immediately obvious from the log. Firstly, User Profile Wizard did not attempt to migrate any profiles, so you have either not configured your script correctly or not configured your Profwiz.config file correctly. (Is <All> set to true in Profwiz.config? It needs to be.)  Secondly, User Profile Wizard is trying to join the machine to the new domain. There is no need to do this - do you have <ForceJoin> set to 'True'? (It should not be.)
Back to Top
hsofteng View Drop Down
Newbie
Newbie


Joined: 26 Mar 2014
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote hsofteng Quote  Post ReplyReply Direct Link To This Post Posted: 31 Mar 2014 at 3:54am
<all> is set to false in profwiz.config - as instructed by the readme.pdf about using EnumSIDs.vbs and yes I did have <ForceJoin> set to True but surely it would ignore that anyway if it was already joined to the domain?
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.03
Copyright ©2001-2019 Web Wiz Ltd.

This page was generated in 0.109 seconds.