Move user accounts and groups for Windows SBS 2011 Standard migration
Updated: January 28, 2011
Applies To: Windows Small Business Server 2011 Standard
This is a required task.
All Windows SBS 2003 users, security groups, and distribution lists are migrated during the initial migration of AD DS. However, the migrated users, security groups, and distribution lists are not automatically displayed in the Windows SBS 2011 Standard Console. You must follow the procedures below to make users and groups manageable from the Windows SBS 2011 Standard Console.
Migrate security groups and distribution lists
To manage these groups, you must assign the Created value to the msSBSCreationState attribute for each group—either automatically by using the Windows SBS 2011 Standard Active Directory Group Converter tool, or manually through the Active Directory Security Interface (ADSI).
To automatically assign attribute values to a migrated group
Under c:\Program Files\Windows Small Business Server\bin, double-click GroupConverter.exe to launch the Active Directory Group Converter, which helps you convert groups in the MyBusiness organizational unit to groups that are compatible with Windows SBS 2011 Standard.
You can convert groups that were created by using either the Windows SBS 2003 Administration Console or the Active Directory Users and Groups Console. To convert the groups, the wizard adds some necessary Active Directory attributes to them.
To manually assign attribute values to a migrated group by using the ADSI Edit tool
- On the Destination Server, click Start, click Administrative Tools, and then click Active Directory Security Interface (ADSI) Edit.
If ADSI Edit is not available on the Administrative Tools menu after you run the Support Tools setup, click Start, type Adsiedit.msc, and then click OK.
On the toolbar, click Action, click Connect to, and then click OK to accept the default settings.
In the navigation pane, right-click the group that you want to edit, and then click Properties.
On the Properties page, click the msSBSCreationState attribute, and then click Edit.
In the Integer Attribute Editor dialog box, in the Value text box, type Created, and then click OK. Make sure that you capitalize “C” in “Created.”
On the Properties page of the group that you are editing, click the groupType attribute, and then click Edit.
In the Integer Attribute Editor dialog box, do the following:
For a security group, type -2147483640 in the Value text box.
For a distribution list, type 8 in the Value text box.
Click OK to save your changes and to close the Properties page.
Repeat steps 3 through 8 for each migrated group that you want to manage in the Windows SBS 2011 Standard Console.
When you restart or refresh the ADSI Edit Console, the groups are displayed in the appropriate distribution list or security group lists.
If you want a group to appear as a distribution list, the group must have a valid email address.
Migrate user accounts
Before you migrate user accounts, you can create custom roles by using the Add a New User Role Wizard. You can then use the new user role when you migrate the user accounts to the Destination Server.
To migrate user accounts
In the Migration Wizard, on the Migration Wizard Home page, click Migrate users and groups, and then click Next.
On the Migrate groups page, click Next.
On the Migrate user accounts page, click Run the Change User Role Wizard.
On the Select new user role page, select the type of user role that you want the user account to have in Windows SBS 2011 Standard, and then choose which of the following ways you want to apply the permissions and settings:
You can replace any permissions or settings that are granted to the user account.
You can add the Windows SBS 2011 Standard permissions and settings where applicable.
On the Select user accounts page, choose the user accounts to apply the role type to, and then click Next.
To view the user accounts that were migrated from the Source Server, in the Users list view, click the Display all the user accounts in the Active Directory check box.
When the wizard finishes, click Finish. The user account role type is changed to the role type that you selected.
Repeat steps 3 through 6 until you apply permissions and settings to all user accounts that were migrated.
When you finish applying permissions and settings to all user accounts, click Task complete, and then click Next.
By default, user accounts that were migrated from the Source Server do not need to meet the Windows SBS 2011 Standard password policies, which are applied to new user accounts in Windows SBS 2011 Standard. When a user with a migrated user account resets or changes their password, they are required to meet the Windows SBS 2011 Standard password policy. If the Windows SBS 2011 Standard password policy is changed to make it stronger (for example, more complex or longer password length), all users, including users with migrated user accounts, are required to reset their passwords to meet the new password policy.
To help secure your network, we recommend that you delete the STS Worker, SBSBackup, IUSR_SBS, and IWAM_SBS user accounts and any other user account or group that is not used.
Map permitted computers to user accounts
In Windows SBS 2003, if a user connects to Remote Web Access, all computers in the network are displayed. This may include computers that the user does not have access rights to. In Windows SBS 2011 Standard, a user must be explicitly assigned to a computer for it to be displayed in Remote Web Access. Each user account that is migrated from Windows SBS 2003 must be mapped to one or more computers.
To map user accounts to computers
Open the Windows SBS 2011 Standard Console.
In the navigation bar, click Users and Groups.
In the list of user accounts, right-click a user account, and then click Edit user account properties.
Click the Computers tab, and then assign one or more client computers to the user account. You can also set the local access rights on each client computer.
Repeat steps 3 and 4 for each user account.
If you want to set default client computers for remote users, click the Remote Access tab, and in the User Account Properties set a default client computer for each user who needs remote access.
You do not need to change the configuration of the client computer. The client computer is configured automatically.