2

After having two separate companies merge into one, we were left with two existing environments, a Novell environment, and an Active Directory environment. Prior administration decided not to merge them, and instead maintain both environments separately, making duplicate users, one in Novell to access those directories, and one in Active Directory, to grant access to those network shares and company e-mail.

Current administration is ready to phase out the increasingly ancient Novell servers, so we are preparing to migrate the Novell data to our existing Active Directory structure.

My concern right now is that we need to have permissions match up to a folder level extent (we're not worried about granular file permissions), but if we run MSDSS for the files only, we will need to go back and manually grant permissions. However, if we run MSDSS to totally merge NetWare Admin and ADUC, the user Jane Doe will end up with 2 ADUC accounts, her original ADUC of Jane.Doe and now an additional that would come from Novell, JaneD.

My question is: Is there a way for MSDSS to look at the information for JaneD and see that it matches a user account in ADUC, and decline to create a new account, but apply the permissions JaneD has to the migrated Novell-to-Windows data sets?

  • Is the Novell platform sticking around for some reason? It sounds like you are intending to migrate off. Why not aim for a cutover rather than a 'merge'? (I mean, holy crap. https://technet.microsoft.com/en-us/library/ff978876%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 <-that support link hasn't been updated in 5 years!) – blaughw Nov 09 '15 at 18:28
  • No, we're getting rid of it (slowly, eventually) but I didn't want to have to, say, robocopy everything over and then manually go back and re-apply the correct permissions to the data. Even though we aren't going down to a granular file level permission set, we do still have almost a TB of folder trees that would need to be drilled down into. Also, I know that article hasn't been updated in ages, but it contains most of the relevant data, since we would be migrating to a 2008 R2 server. – Sarah Sanderson Nov 09 '15 at 18:47
  • I would think this is possible if you can lock in on a single, common attribute that is shared between User1's NDS object and User1's AD object. If you have employee IDs stored in both that is in both directories. If you have this, I could imagine a script that gets an ACL, performs *query* on each user object, and *if* it matches an AD object, *then* apply permissions, *else* create new entry. – blaughw Nov 09 '15 at 18:59
  • Unfortunately, there isn't a shared attribute other than the names, and we have so many duplicate first names that I don't think it will work. I'll keep trying, though, and post if I come up with a solution. – Sarah Sanderson Nov 11 '15 at 15:47
  • Dang, you might be able to mash together the IDs in a CSV then use PowerShell, but this does not scale above a few hundred users. – blaughw Nov 12 '15 at 16:57

1 Answers1

0

So your users already have accounts in both Novell and AD? If so, I wouldn't worry about using a migration tool.

Instead, create a CSV file that maps your Novell users to your AD users. Storing the Novell username in an attribute on the corresponding AD user account is also a good idea. If you create the CSV file first, you could use PowerShell to easily set the AD attribute.

When you get to moving the files, I would use something like RoboCopy to do the actual copy. Then use Novell utilities to dump the explicit file and folder permissions to a text file. Using the CSV file with the username map, you can use PowerShell to translate the Novell permissions to the equivalent Windows permissions. And finally use PowerShell to apply those permissions.

longneck
  • 22,793
  • 4
  • 50
  • 84