Resolution
How do I translate security for remote users upon the next logon?
fix
There is no supported way for Domain Migration Administrator (DMA) to translate security for remote users upon their next logon. An unsupported workaround is to initiate a Computer Migration/Security Translation using the command line interface that is included with DMA. The type of operating system (OS) of the source domain will determine what possibilities are available.Â
Follow the steps outlined in NETIQKB4010 to prepare a task to run via the CLI. Use this procedure to prepare the 'Migrate Computers' and/or 'Translate Security Settings' steps of the migration and select the machines that were not connected during the migration. If you would like to translate the user's profile during this step, the user may need to dial-in or connect to the network using a different user account so their actual local profile will be translated. This does not apply to users who have roaming profiles because those are translated during the user migration rather than during the computer migration or security translation.
For a Windows 2000 source domain:
- Create a Group Policy to execute the DMACLI command to migrate and translate the machine.
For a Windows NT source domain:
- Create a logon script that will execute the NETDOM Windows 2000 Support Tool to migrate the machine to the new domain.
- Set a Group Policy in the target domain that will execute the DMACLI command.
Another option is to have the remote users change the domain affiliation manually and simply have the target Group Policy run the DMACLI to translate security on the workstations.
NOTE: Please keep in mind that a user's profile cannot be translated if that profile is currently being accessed. If you would like to translate the user's profile during this step, the user needs to dial-in or connect to the network using a different user account so their actual local profile will be translated. This does not apply to users who have roaming profiles.
The development and troubleshooting of scripting is outside the scope of Technical Support. These services are available through your NetIQ Sales Representative.
note
Please refer to NETIQKB12292 for more information regarding the Best Practices for Migrating Remote Users.
note
Please note that information regarding the DMACLI can also be found in Appendix A of the DMA and SC User Guide. Also, information regarding delegation of migration tasks can also be found in Chapter 6 of the DMA and SC User Guide.
note
Please contact Technical Support to create a 'Support Request' for any issues you encounter that are not addressed by the User Guide, any Knowledge Base articles found on the website, or current Hotfixes available for download.