Funny Story... if your not me
slinuxuzer
Member Posts: 665 ■■■■□□□□□□
I did a file server migration for my company the other day, about 48 gigs of data. IT seemed pretty straight forward migrate our accounting apps, then map a drive to our new server and use a very long robocopy.exe command to migrate attributes, permissions, timestamps etc.
well what no one knew, especially me, is when this server was originally setup back in 2003. whoever set it up for some unknown reason setup a bunch of local groups (server is 2k and on domain) that matched the names of our domain groups exactly. They then nested the domain groups into these local groups and applied the local groups to the folders they needed access to.
So for years now we were unaware of this, and through time domain groups started getting applied to these folders also, so there was then a mix.
Now the good part when I did the test migration it all looked good I would see a sid or two but thought this was just a group or user that had been deleted and the orphaned object was left over, and since there was a mix of domain permissions applied I would see in alot of places the permissions. So the permissions were TOTALLY screwed since you can't migrate local permissions with robocopy and I don't know of any free tools that can, plus this was a do or die type deal because of other things I couldn't move backwards.
So once the migration was done, 4:30 pm, the issue was discovered the first time my phone rang, and guess what I got to spend the next 4 hours working OT (on salary) to fix the issue. Yes it could have been alot worse, but to give some insight into just how messed up some things are and with this server in particular. There have been two major issues that I have personally discoverd with this server, the first was the accounting managers home folder having the everyone group applied to it with full access and the second being nearly everyone having read access to the plant mangers files (via a nested group mistake; prime example of KISS)
Then the overuse of applying user accounts directly to folders (either make a group, or add them to the appropirate groups).
The issue is now fixed and I have a few more gray hairs.
well what no one knew, especially me, is when this server was originally setup back in 2003. whoever set it up for some unknown reason setup a bunch of local groups (server is 2k and on domain) that matched the names of our domain groups exactly. They then nested the domain groups into these local groups and applied the local groups to the folders they needed access to.
So for years now we were unaware of this, and through time domain groups started getting applied to these folders also, so there was then a mix.
Now the good part when I did the test migration it all looked good I would see a sid or two but thought this was just a group or user that had been deleted and the orphaned object was left over, and since there was a mix of domain permissions applied I would see in alot of places the permissions. So the permissions were TOTALLY screwed since you can't migrate local permissions with robocopy and I don't know of any free tools that can, plus this was a do or die type deal because of other things I couldn't move backwards.
So once the migration was done, 4:30 pm, the issue was discovered the first time my phone rang, and guess what I got to spend the next 4 hours working OT (on salary) to fix the issue. Yes it could have been alot worse, but to give some insight into just how messed up some things are and with this server in particular. There have been two major issues that I have personally discoverd with this server, the first was the accounting managers home folder having the everyone group applied to it with full access and the second being nearly everyone having read access to the plant mangers files (via a nested group mistake; prime example of KISS)
Then the overuse of applying user accounts directly to folders (either make a group, or add them to the appropirate groups).
The issue is now fixed and I have a few more gray hairs.
Comments
-
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
I'm not you and it's still not funny, I feel your pain! Ouch!
Glad you got it worked out though, and by sharing that maybe you helped others avoid making the mistakes your predecessor did. Here is my pet peeve:slinuxuzer wrote:the overuse of applying user accounts directly to folders (either make a group, or add them to the appropirate groups
Amen!All things are possible, only believe. -
Slowhand
Mod Posts: 5,161 Mod
Sounds like whoever was the admin back in 2003 got something crazy in their ear. I'm glad you got it worked out, I think I agree with sprkymrk: "I feel your pain".
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do. -
APA
Member Posts: 959
sprkymrk wrote:I'm not you and it's still not funny, I feel your pain! Ouch!
Glad you got it worked out though, and by sharing that maybe you helped others avoid making the mistakes your predecessor did. Here is my pet peeve:slinuxuzer wrote:the overuse of applying user accounts directly to folders (either make a group, or add them to the appropirate groups
Amen!
I'll second that pet peeve......
We've recently inherited a new company..... The previous non qualified IT dept didn't know what dhcp was or how to use AD correctly....... amongst other things..... Users accounts have been applied to every single share.... talk about administrative overhead!!!!!
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
slinuxuzer
Member Posts: 665 ■■■■□□□□□□
Thanks for your replies, glad to see I am not alone.
P.s I just re-read my post and I apologise for some of it being incoherent, my mind was a little beat up when I wrote it. -
mr2nut
Member Posts: 269
I'll happily admit that made me laugh
(but cringe at the same time) poor guy!