Switching to Windows Server Essentials 2016 - how does one handle folder / file ownership and security...


Recommended Posts

Whenever I reformat or upgrade in place, the old installation leaves behind accounts that are then recognized as "S1-..."  and the owner of the files is unknown.

 

These are files / folders on other drives.  Is there some specific way to handle the migration so these permissions / owner settings is handled in the process?  Or do I have to claim ownership after the fact manually for each that needs changing while removing the ghost entries.

Also network shares on folders - does it make sense to remove these

I've been doing this for years without really knowing if there is an appropriate way of handling

If you do an upgrade to 2016 this wont happen. But when you wipe and load a DC you will have to reapply the security permissions the sid's no longer match even if the domain name is the same.

I did an upgrade and saw the S1s and unknown owners.   I ended up having to image back to 2012 because of issues with my drives.  I'll likely try again in a few days and guess just manually go through the process.  I was wondering if there was a better way of handling it but doesn't seem like it's the case.

i get by it when migrating servers by using robocopy and the relative switches (Secfix etc) to copy the old ntfs perms over. Dont know if thats possible for you, is the 2016 server on the hardware that 2012 was?

 

If you are using the same shares, you can also extract the reg key from Lanmanager in the registry.

  • Like 2
  On 21/01/2017 at 21:17, Mando said:

i get by it when migrating servers by using robocopy and the relative switches (Secfix etc) to copy the old ntfs perms over. Dont know if thats possible for you, is the 2016 server on the hardware that 2012 was?

 

If you are using the same shares, you can also extract the reg key from Lanmanager in the registry.

Expand  

Robocopy is awesome. We were able to migrate 50+ TB from a Sun Thumper to an EMC Isilon 7 PB server with no permission issues. Made us pretty happy. :)

  On 22/01/2017 at 03:00, AndyD said:

Yeah, same hardware.  I'll give both a look.  Thanks!

Expand  

i can sort you with the switches to use, I kept a note of them at work, ill look them out. 

 

@norseman yep, as long as you remember the retry and wait switches, so if it cant manage a file or subdir, it will retry x amount of times after x amount of time, a total godsend combined with SECFIX etc. with Windows, i saved days of work by extracting the LANManager reg entries from the source file server and merged it into the registry of the new 2012 R2 server, so even the shares had the right perms :) combined with robocopy, it saved literally 20 or so man hours.

 

@op due to it landing on same hardware, any way you could build a VM of the 2012 setup, run on a host and migrate your shares that way? as youll need both servers "alive" at the same time to use Robocopy.

  • Like 2
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Just give a great simple monitor. No AI nonsense. What's next? AI mouse that knows where you want to move?
    • Certificates for one of Windows 11's hardware requirements expire soon, here is what to know by Taras Buria Secure Boot is a known term for Windows 11 users. It is one of Windows 11's hardware requirements, and without it, the operating system cannot be installed, at least officially. Secure Boot was introduced in 2012 with the release of Windows 8, and its certificates, first issued in 2011, are set to expire soon. Now, Microsoft has posted a blog post about the importance of this event and why organizations and users must ensure their Secure Boot certificates are up to date. In a nutshell, Secure Boot is a special mechanism that ensures that your PC is using verified firmware and a trusted bootloader. Certificates released in 2011 will expire in June 2026, and if left outdated, will disrupt the integrity of the device startup process. Without new certificates, Windows Boot Manager and Secure Boot components can't receive security fixes, leaving affected devices exposed to bootkit malware (such as BlackLotus), which is very hard to detect with standard antivirus software. Other results of having expired Secure Boot certificates include the inability to trust software signed with new certificates. PCs that could be affected by expired certificates include physical and virtual machines (VMs) with supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2. Copilot+ PCs released in 2025 are not affected. To avoid these potentially disastrous consequences, Microsoft urges organizations and users to update their entire PC fleet to newer certificates, which were released in 2023: Expiration Date Expiration Certificate Updated Certificate What it does Storing Location June 2026 Microsoft Corporation KEK CA 2011 Microsoft Corporation KEK 2K CA 2023 Signs updates to DB and DBX Key Enrollment Key (KEK) Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)* Microsoft Corporation UEFI CA 2023 Microsoft Option ROM UEFI CA 2023 Signs third-party OS and hardware driver components Signs third-party option ROMs Allowed Signature database (DB) October 2026 Microsoft Windows Production PCA 2011 Windows UEFI CA 2023 Signs the Windows bootloader and boot components So, what do you need to do? Microsoft says that the easiest solution is to let Microsoft manage your Windows updates. In the upcoming months, Microsoft will release new certificates as part of monthly cumulative updates, so it will take care of everything for you. The company also recommends enrolling Windows 10 devices in the Extended Security Updates program, which is free for regular consumers and paid for enterprises. Microsoft will also provide the necessary certificates for Linux systems that dual-boot Windows. Of course, not every Windows PC can receive such updates. For example, so-called "air-gapped" devices, which are physically isolated from the internet and local networks, cannot receive updates like your home PC does. For such devices, Microsoft offers limited support, which is detailed in the blog post. You can also track Windows Secure Boot certificate updates on a newly published support document. You can check if your system has Secure Boot enabled by pressing Win + R, typing msinfo32, and checking "Secure Boot State."
  • Recent Achievements

    • One Month Later
      jfam earned a badge
      One Month Later
    • First Post
      TheRingmaster earned a badge
      First Post
    • Conversation Starter
      Kavin25 earned a badge
      Conversation Starter
    • One Month Later
      Leonard grant earned a badge
      One Month Later
    • Week One Done
      pcdoctorsnet earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      547
    2. 2
      ATLien_0
      201
    3. 3
      +FloatingFatMan
      176
    4. 4
      Michael Scrip
      147
    5. 5
      snowy owl
      114
  • Tell a friend

    Love Neowin? Tell a friend!