You cannot resolve local groups when you migrate files between member servers of different domains (250267)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server
This article was previously published under Q250267

SUMMARY

When you copy files or folders from a server to a member server of a different domain, the second server may not identify the local groups of the first server. This behavior occurs because the second server cannot identify the security identifiers (SIDs) of the first server's local groups. This article discusses a method to resolve this behavior.

SYMPTOMS

When you copy files or folders from one server to another server that is a member of a different domain, the access control entries for the first server's local groups appear as Unknown on the second server. These access control entries are part of the discretionary access control lists (DACLs) for files and folders.

This behavior occurs when both servers are running Microsoft Windows NT Server 4.0 or Microsoft Windows 2000 Server.

CAUSE

This behavior occurs because the security identifier (SID) values for the local groups on the first server are valid only on that server. (The SID values for other user accounts on the first server are also valid only on that server.) These SID values are not valid on a server that is located on a different domain. The second server does not recognize the SID values for the first server's local groups and user accounts.

RESOLUTION

To resolve this behavior, follow these steps:
  1. Save the first server's local group information to a file:
    1. Log on to the first server as a member of the Administrators group.
    2. At a command prompt, type the following command, and then press ENTER:

      addusers \\ServerName /d Filename.txt

      In this command, ServerName is the name of the first server, and Filename.txt is the file where local groups information is saved.
    3. Edit the Filename.txt file to delete user accounts information and global groups information, and then save the file with a different name. For example, save the modified file as Renfile.txt.

      Important Retain the local groups information in the file.
    4. Copy the modified file to the second server's domain.
  2. Copy the first server's local groups to the second server's domain as local domain groups:
    1. Log on to the domain of the second server as a member of the Administrators group.
    2. At a command prompt, type the following command, and then press ENTER:

      addusers \\DomainName /c renfile.txt

      In this command, DomainName is the name of the domain, and Renfile.txt is the file that contains local group information of the first server. If the groups do not exist in the domain, they will be created. If the groups exist in the domain, the group members will be added to the corresponding groups.
  3. Copy data from the first server to the second server:
    1. Log on to the second server as a member of the Administrators group who has access to the data on the first server.
    2. Create a shared folder on the second server.
    3. Log on to the first server and copy the data to the new shared folder on the second server. To do this, use one of the following methods:
      • To use the Xcopy command-line tool, type the following command at the command prompt, and then press ENTER:

        xcopy \\source\*.* \\destination /O /X /E /H /K

        In this command, source is a placeholder for the location of the first server files, and destination is a placeholder for the location of the new shared folder in the second server.
      • To use the Robocopy command-line tool, type the following command at the command prompt, and then press ENTER:

        robocopy sourcedestination /secfix /xo /xn /xc K

        In this command, source is a placeholder for the location of the first server files, and destination is a placeholder for the location of the new shared folder in the second server.

        Note If you want the destination folder to be an exact mirror of the source folder, you must run Robocopy by using the parameters to update only the file security information, and then run the Robocopy command without using the /xo, /xn, or /xc parameters.
    4. Copy the Renfile.txt file to the second server.
  4. Retrieve the SID values for the first server's local groups and for the domain, and then save them to a file:
    1. Copy the local groups from the Renfile.txt file to a new file on the second server. Give the new file a name such as Listmemberlocal.txt. This file must contain only the names of the first server's local groups. There must be only one name displayed in each row. The content of the Listmemberlocal.txt file must appear similar to the following text, where "LocalA" and "LocalB" are the names of local groups:
      LocalA
LocalB
    2. Create three batch files on the second server. These batch files retrieve and store the SID values to a text file. You must create these files in one folder. The contents of the batch files must be similar to the following sample code.

      Note In this code, groupssid.txt is a placeholder for the file where the SID values are stored. 
      • echo off
cls
if exist groupssid.txt del groupssid.txt
for /F "tokens=1" %%a in (listmemberlocal.txt) do call listsid1.bat %%a

      • getsid \\2b21d %1 \\w2kdomain1.loc %1 >sid1.txt
for /F "skip=1 tokens=5,7" %%a in (sid1.txt) do call listsid2.bat %%a %%b
        Note Here, 2b21d is a placeholder for the NetBIOS name of the first server, and w2kdomain1.loc is a placeholder for the domain name of the second server.
      • echo %1 %2 >>groupssid.txt
    3. At a command prompt, locate and then run the Listsid.bat file.
    4. To view the SID values, open the Groupssid.txt file. The content of the Groupssid.txt file is similar to the following:
      2B21D\LocalA S-1-5-21-90593156-579754539-1338337383-1002 
W2KDOMAIN1\LocalA S-1-5-21-1844237615-261478967-839522115-1126 
2B21D\LocalB S-1-5-21-90593156-579754539-1338337383-1003 
W2KDOMAIN1\LocalB S-1-5-21-1844237615-261478967-839522115-1127 
2B21D\LocDom1 S-1-5-21-90593156-579754539-1338337383-1004 
W2KDOMAIN1\LocDom1 S-1-5-21-1844237615-261478967-839522115-1125
    5. Edit the content of the Groupssid.txt file so that it is similar to the following:
      S-1-5-21-90593156-579754539-1338337383-1002   S-1-5-21-1844237615-261478967-839522115-1126
S-1-5-21-90593156-579754539-1338337383-1003   S-1-5-21-1844237615-261478967-839522115-1127
S-1-5-21-90593156-579754539-1338337383-1004   S-1-5-21-1844237615- 261478967-839522115-1125
      In this content, the SID for the first local group is followed by the SID for the local group in the domain of the second server.
  5. Replace the SID values of all the first server's local groups with the SID values of the second server's domain local groups:
    1. Create two batch files on the second server. The contents of the batch files must be similar to the following: 
      • for /F "tokens=1,2" %%a in (groupssid.txt) do subin.bat %%a %%b
        Note Here, groupssid.txt is a placeholder for the file that contains the local group SID values for both the first server and the domain.
      • subinacl /subdirectories e:\root\*.* /replace=%1=%2
        Note Here, e:\root is a placeholder for the new folder in the second server to where the first server data is copied.
    2. At a command prompt, locate and then run the Sub.bat file.

MORE INFORMATION

The Addusers, Robocopy, Getsid, and Subinacl utilities are available in the Microsoft Windows 2000 Resource Kits. For more information about the Microsoft Windows 2000 Resource Kits, visit the following Microsoft Web site:

http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/default.asp

REFERENCES

For additional information about how to retain permissions on files and folders when you copy the files and folders to another computer, click the following article numbers to view the articles in the Microsoft Knowledge Base:

296865 The Subinacl utility arranges access control entries incorrectly

323007 How to copy a folder to another folder and retain its permissions

323275 How to use Robocopy to copy security information without copying any file data

Modification Type:MajorLast Reviewed:3/7/2006
Keywords:kbprb KB250267 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.