Funny Story... if your not me

I did a file server migration for my company the other day, about 48 gigs of data. IT seemed pretty straight forward migrate our accounting apps, then map a drive to our new server and use a very long robocopy.exe command to migrate attributes, permissions, timestamps etc.

well what no one knew, especially me, is when this server was originally setup back in 2003. whoever set it up for some unknown reason setup a bunch of local groups (server is 2k and on domain) that matched the names of our domain groups exactly. They then nested the domain groups into these local groups and applied the local groups to the folders they needed access to.

So for years now we were unaware of this, and through time domain groups started getting applied to these folders also, so there was then a mix.

Now the good part when I did the test migration it all looked good I would see a sid or two but thought this was just a group or user that had been deleted and the orphaned object was left over, and since there was a mix of domain permissions applied I would see in alot of places the permissions. So the permissions were TOTALLY screwed since you can't migrate local permissions with robocopy and I don't know of any free tools that can, plus this was a do or die type deal because of other things I couldn't move backwards.

So once the migration was done, 4:30 pm, the issue was discovered the first time my phone rang, and guess what I got to spend the next 4 hours working OT (on salary) to fix the issue. Yes it could have been alot worse, but to give some insight into just how messed up some things are and with this server in particular. There have been two major issues that I have personally discoverd with this server, the first was the accounting managers home folder having the everyone group applied to it with full access and the second being nearly everyone having read access to the plant mangers files (via a nested group mistake; prime example of KISS)

Then the overuse of applying user accounts directly to folders (either make a group, or add them to the appropirate groups).

The issue is now fixed and I have a few more gray hairs.

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

sprkymrk

I'm not you and it's still not funny, I feel your pain! Ouch!

Glad you got it worked out though, and by sharing that maybe you helped others avoid making the mistakes your predecessor did. Here is my pet peeve:

slinuxuzer wrote:

the overuse of applying user accounts directly to folders (either make a group, or add them to the appropirate groups

Amen!

Slowhand

Sounds like whoever was the admin back in 2003 got something crazy in their ear. I'm glad you got it worked out, I think I agree with sprkymrk: "I feel your pain".

APA

sprkymrk wrote:

I'm not you and it's still not funny, I feel your pain! Ouch!

Glad you got it worked out though, and by sharing that maybe you helped others avoid making the mistakes your predecessor did. Here is my pet peeve:

slinuxuzer wrote:

the overuse of applying user accounts directly to folders (either make a group, or add them to the appropirate groups

Amen!

I'll second that pet peeve......

We've recently inherited a new company..... The previous non qualified IT dept didn't know what dhcp was or how to use AD correctly....... amongst other things..... Users accounts have been applied to every single share.... talk about administrative overhead!!!!!

slinuxuzer

Thanks for your replies, glad to see I am not alone.

P.s I just re-read my post and I apologise for some of it being incoherent, my mind was a little beat up when I wrote it.

mr2nut

I'll happily admit that made me laugh

(but cringe at the same time) poor guy!