Move user accounts and groups for Windows SBS 2008 migration
Updated: November 12, 2009
Applies To: Windows SBS 2008
Note
This is a required task.
Migrate security groups and distribution lists
All Windows SBS 2003 security groups and distribution lists are migrated during the initial migration of Active Directory Domain Services (AD DS). However, the migrated security groups and distribution lists are not automatically displayed in the Windows SBS Console. To manage these groups, you must assign the Created value to the msSBSCreationState attribute for each group—either automatically, using the Windows Small Business Server 2008 Active Directory Group Converter tool, or manually, through the Active Directory Security Interface.
To automatically assign attribute values to a migrated group
Download the Windows Small Business Server 2008 Active Directory Group Converter from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkID=141892).
The Windows Small Business Server 2008 Active Directory Group Converter helps you convert groups in the MyBusiness organizational unit to groups that are compatible with Windows SBS 2008.
You can convert groups that were created by using either the Windows SBS 2003 Administration Console or the Active Directory Users and Groups console. To convert the groups, the wizard adds some necessary Active Directory attributes to them. After you convert groups to Windows SBS 2008 compatible groups, you can manage the groups by using the Windows SBS Console.
To manually assign attribute values to a migrated group
- On the Destination Server, click Start, click Administrative Tools, and then click Active Directory Security Interface (ADSI) Edit.
Note
If ADSI Edit is not available on the Administrative Tools menu after you run the Support Tools setup, click Start, type Adsiedit.msc, and then click OK.
On the toolbar, click Action, click Connect to, and then click OK to accept the default settings.
In the navigation pane, right-click the group that you want to edit, and then click Properties.
On the Properties page, click the msSBSCreationState attribute, and then click Edit.
In the Integer Attribute Editor dialog box, in the Value text box, type Created, and then click OK. Make sure that you capitalize “C” in “Created.”
On the Properties page of the group that you are editing, click the groupType attribute, and then click Edit.
In the Integer Attribute Editor dialog box, do the following:
For a security group, type -2147483640 in the Value text box.
For a distribution list, type 8 in the Value text box.
Click OK to save your changes and to close the Properties page.
Repeat steps 3 through 8 for each migrated group that you want to manage in the Windows SBS Console.
When you restart or refresh the ADSI Edit console, the groups are displayed in the appropriate distribution list or security group lists.
Note
If you want a group to appear as a distribution list, the group must have a valid e-mail address.
Change user account roles
Note
Before you migrate user accounts, you can create custom roles by using the Add a New User Role Wizard. You can then use the new user role when you migrate the user accounts to the Destination Server.
To migrate user accounts
In the Migration Wizard, on the Migration Wizard Home page, click Migrate users and groups, and then click Next.
On the Migrate groups page, click Next.
On the Migrate user accounts page, click Run the Change User Role Wizard.
On the Select new user role page, select the type of user role that you want the user account to have in Windows SBS 2008, and then choose how you want to apply the permissions and settings.
Either you can replace any permissions or settings that are granted to the user account, or
You can add the Windows SBS 2008 permissions and settings where applicable.
Click Next.
On the Select user accounts page, choose the user accounts to apply the role type to, and then click Next.
Note
To view the user accounts that were migrated from the Source Server, in the Users list view, click the Display all the user accounts in the Active Directory check box.
When the wizard finishes, click Finish. The user account role type is changed to the role type that you selected.
Repeat steps 3 through 6 until you apply permissions and settings to all user accounts that were migrated.
When the you finish applying permissions and settings to all user accounts, click Task complete, and then click Next.
Note
By default, user accounts that were migrated from the Source Server do not need to meet the Windows SBS 2008 password policies, which are applied to new user accounts in Windows SBS 2008. When a user with a migrated user account resets or changes their password, they are required to meet the Windows SBS 2008 password policy. If the Windows SBS 2008 password policy is changed to make it stronger (for example, more complex or longer password length), all users, including users with migrated user accounts, are required to reset their passwords to meet the new password policy.
Important
To help secure your network, it is recommended that you delete the STS Worker, SBSBackup, IUSR_SBS, and IWAM_SBS user accounts and any other user account or group that is not used.
Map permitted computers to user accounts
In Windows SBS 2003, if a user connects to Remote Web Workplace, all computers in the network are displayed. This may include computers that the user does not have access rights to. In Windows SBS 2008, a user must be explicitly assigned to a computer for it to be displayed in Remote Web Workplace. Each user account that is migrated from Windows SBS 2003 must be mapped to one or more computers.
To map user accounts to computers
Open the Windows SBS Console.
In the navigation bar, click Users and Groups.
In the list of user accounts, right-click a user account, and then click Edit user account properties.
Click the Computers tab, and then assign one or more client computers to the user account. You can also set the local access rights on each client computer.
Repeat steps 3 and 4 for each user account.
After mapping user accounts to client computers, you can set a default computer for remote access. Go to the Remote Access tab, and then, in the user account properties, set a default client computer for each user who needs to access the network remotely.
Note
You do not need to change the configuration of the client computer. It is configured automatically.