none
What does "During scan,include security principals from the DACL on the GPO" option mean, when scan GPOs to auto-populate migration table

    Question

  • Hi, wondering if someone can tell me in layman's terms, what happens if you select "During scan, include security principals from the DACL on the GPO" in the Migration Table Editor, Tools, Populate from Backup.   Basically, I'm just looking to migrate GPOs from my old domain to my new domain (each in their own forest)

    Microsoft's description is not in layman's terms.

    I'm definitely using Security Filtering on several GPOs.  Also, on one one or more GPOs I had to make adjustments to entries on the Delegation tab.  If what I'm reading is right, Delegation is the DACLs?   And since I'm planning on migrating users/groups with their SIDs, so their file/folder perms will be retained after I Robocopy the files, is checking that box the right thing to do?    Obviously I don't want the old domain name carried over, but I don't see that anywhere in Delegation tab anyways.  

    I did run it, checking that box, and it put entries from Security Filtering in the table.   I ran again, NOT checking it, and those entries were then gone.   Based on this then, since I DO want the migrated GPOs filtering to remain intact (and tied to the migrated users), instead of having to RE-filter my GPOs,  I assume I DO want to check this box.  









    • Edited by dilbert2015 Thursday, September 24, 2015 8:12 PM
    Thursday, September 24, 2015 5:04 PM

Answers

  • > I also said I'd be migrating users/groups with their SIDs.   So then it
    > seems obvious I WOULD want to check the box  "During scan, include
    > security principals from the DACL on the GPO" .
     
    Argh - sorry for my lame understanding :)
     
    After studying the GPM object model, my opinion is: The DACL entries in
    migration tables are NEVER used when importing a backup. They are only
    used when copying a GPO.
     
    For more information, see the GPM_PROCESS_SECURITY flag of the
     
    regards :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by dilbert2015 Thursday, October 08, 2015 4:11 PM
    Thursday, October 08, 2015 3:32 PM

All replies

  • Hi dilbert,

    The migration table will apply to any references in the settings within a GPO, whether you are performing an import or copy operation. In addition, during a copy operation, if you choose the option to preserve the discretionary access control list (DACL) on the GPO, the migration table will also apply to both the DACL on the GPO and the DACLs on any software installation settings in the GPO.

    You may read the articles about migration table.

    https://technet.microsoft.com/en-us/library/cc739066(v=ws.10).aspx

    http://blogs.technet.com/b/doxley/archive/2008/04/22/group-policy-migration-without-the-headache.aspx

    And if you had used ADMT for moving users across domains exporting SIDHistory, you could translate the old domain ACL to the target domain values.

    https://blog.thesysadmins.co.uk/admt-series-3-sid-history.html

    And as far as I know,  file or folder you copy from source Server to the new one (using robocopy) will retain the old domain ACLs for any file/folder. And if you use the new domain accounts, they will have issues accesing the new fileserver info, because the ACLs are for user/groups of your source domain, not for the target one. What you need to be sure is, the new server where you put the info must include the ACLs for the target domain.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 25, 2015 7:20 AM
    Moderator
  • Can you please answer my specific questions instead of basically telling me "checking a DACLs box will make them apply", and giving me documentation links?

    And please ignore the fact about migrating users with SID history (in order to keep shared files access) if it's not pertinent to the question on the GPO DACL's.   We don't normally put actual user accounts in the Delegation tab, just in the Security Filtering area of the first tab.


    spnewbie

    Tuesday, September 29, 2015 3:05 PM
  • > Can you please answer my specific questions instead of basically telling
    > me "checking a DACLs box will make them apply", and giving me
    > documentation links?
     
    INSIDE a GPO, you can have users and groups in security settings. These
    are always included in the migration table.
     
    OUTSIDE the GPO each GPO has an ACL where you grant access to the GPO
    (who can read/edit/apply it). This is called DACL. If you select the
    aforementioned option, all accounts in the DACL will be included in your
    migration table.
     
    That's all. It will not write the ACL in your new domain, it will simply
    carry these entries in the migtable.
     
    > on the GPO DACL's.   We don't normally put actual user accounts in the
    > Delegation tab, just in the Security Filtering area of the first tab.
     
    The security filtering is just a "shortcut". It lists all accounts that
    have both read and apply access to the GPO.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, September 30, 2015 3:44 PM
  • Martin,   can you describe to me how one typically modifies the DACLs on a GPO?    If your answer is that you go to Delegation tab and adjust things there, then that is what I said above/what I understand.  (and I'm certain I HAVE fooled with some settings in Delegation tab on a couple of GPOs).  If not, please tell me how one would adjust these.  This will tell me whether I ever fooled with them.  

    However, disregarding the above, is there any harm in checking that box?  I have not defined ANY gpo's yet in my new domain, so don't worry about overwriting anything.  There must be a reason Microsoft has it unchecked by default?




    • Edited by dilbert2015 Wednesday, September 30, 2015 4:17 PM
    Wednesday, September 30, 2015 4:07 PM
  • > Martin,   can you describe to me how one typically modifies the DACLs on
    > a GPO?
     
    Depends on your needs. In usual environments, the security filtering box
    is sufficient. We use "deny apply", so we need the delegation tab to
    verify. And we use automation to deploy GPOs and adjust ACLs, so in
    daily operations, we don't really care of GPMC :)
     
    > how one would adjust these.
     
    Powershell (get-gpo and its mates), VBScript (GPMC has a bunch of good
    sample scripts).
     
    > There must be a reason Microsoft has it
    > unchecked by default?
     
    I'm unaware of any benefit or risk - I never used it.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, October 01, 2015 11:40 AM
  • Okay so our Q&A was: 

    > Martin,   can you describe to me how one typically modifies the DACLs on  
     a GPO?   >>   Depends on your needs. In usual environments, the security filtering box

    is sufficient.

    And in my first post I said:  "I'm definitely using Security Filtering on several GPOs."

    I also said I'd be migrating users/groups with their SIDs.   So then it seems obvious I WOULD want to check the box  "During scan, include security principals from the DACL on the GPO" .   





    • Edited by dilbert2015 Thursday, October 08, 2015 2:43 PM
    Thursday, October 08, 2015 2:35 PM
  • > I also said I'd be migrating users/groups with their SIDs.   So then it
    > seems obvious I WOULD want to check the box  "During scan, include
    > security principals from the DACL on the GPO" .
     
    Argh - sorry for my lame understanding :)
     
    After studying the GPM object model, my opinion is: The DACL entries in
    migration tables are NEVER used when importing a backup. They are only
    used when copying a GPO.
     
    For more information, see the GPM_PROCESS_SECURITY flag of the
     
    regards :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by dilbert2015 Thursday, October 08, 2015 4:11 PM
    Thursday, October 08, 2015 3:32 PM
  • Well, I don't know why that checkbox would be there if it's NOT used.    So I plan on checking it, and if it's not used as you say, then nothing to worry about I assume.  Hopefully it will bring over the principals though.

    But thanks anyways and I'll mark your comment as an Answer for all your effort.


    spnewbie

    Thursday, October 08, 2015 4:11 PM
  • > Well, I don't know why that checkbox would be there if it's NOT used.
     
    It actually is used - when you COPY a GPO :-)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, October 09, 2015 6:23 PM