Import server-local groups (version 6)

migRaven only reads accounts and groups from the AD. If you want to migrate servers on which the authorizations are based on local accounts, then these must first be transferred to the DB from migRaven Imported. This has often been done on NetApp Filer in the past.

Requirement: migRaven Version 6.4.1848 of the 30.11.2018 

Goal: Translate migration of all server-local authorization groups and accounts into domain rights 

Who: migRaven Redesign project with activated Flatten function.

Requirement: it must be the server local groups with their members before in the migRaven DB are imported. 

For Windows Server, there is the lower script. Netapps must use the NetApp Powershell tools. 

Result: new domains Permission groups that flattens users. If previously D-groups were eligible, they will also be flattened. If you do not want this, you can exclude the groups based on their property in the following key: 

Adaptation of the c: \ program files \migraven\migraven.exe.config

Without exclusion


Excluded from certain groups: 

<add key="Flatten" value="y.type='person' and y.isactive='True' and not (y. userprincipalname =~'.*@ads0003. * 'or y. userprincipalname = ~ '. *@ADS0003. * ') “/> 

Export the CSV files for the server local groups:

With this script all Server local groups on Windows read out and then the members determined 

 $Computer = "SERVER"
 $gruppen = get-wmiobject win32_group -filter "LocalAccount='True'" -ComputerName $Computer
 foreach($groupName in $gruppen){
 $Gname = $groupName.Name
 #$Gname
 $Group= [ADSI]"WinNT://$Computer/$Gname,group"
 #$Group
 $members = $Group.psbase.Invoke("Members")
 $name = $members | ForEach-Object { $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) }
 if($groupName.Description -eq "" )
 {$groupName.Description = "leer" }
  
 [System.Guid]::NewGuid().ToString() + "t" + $groupName.SID + "t" + $groupName.Name +  "t" + $Computer + "t" + $groupName.Description  | out-file  -filePath "c:\temp\lokaleGruppen.csv" -Append 
 #$name
 #$members
 foreach ($n in $name){
 if (  $n.ToString() -notcontains "System." ) {
       write-host $n
         $memb = (New-Object System.Security.Principal.NTAccount($n)).Translate([System.Security.Principal.SecurityIdentifier]).value
         $groupName.SID + "," + $memb | out-file  -filePath "c:\temp\MemberGruppen.csv" -Append 
       }
  
 }
 }  

2 CSV will be generated, which in turn will be imported via the CSV import migRaven Imported

Remove the orphaned ACEs before executing the final scripts by running:
MATCH (n: ADAccount) where n.objectSID ends with '-1009' detach delete n         (for all affected ObjectIDs) 

MATCH (n: ACE) where not (n) - [: rel_ace] -> () detach delete n) for everyone in the database

All "build-in" entries must be removed from the CSV!

LOAD CSV FROM 'file: /// C: /temp/lokaleGruppen.csv'AS line FIELD TERMINATOR' \ t 'with line,  

‚Merge (l: ADAccount {objectGUID:“ ‚+ line [0] +‚ “}) on create set l.objectSID =“ ‚+ line [1] + '“ set l.name = “‚ + line [2] + ‚“ Set l.domain = “‚ + line [3] + ‚“ set l.commonsid = “0 ″ set l.type =“ group “set l.sAMAccountName =“ ‚+ line [2] +‚ “set l.cn = “‚ + line [2] + '“set l.distinguishedname =“ “set l.isactive =“ True “set l.department =“ “set l.description =“ ‚+ line [4] +‚ “Set l.displayname =“ “set l.givenName =“ “set l.grouptype =“ “set l.sn =“ “set l.sAMAccountType =“ SAM_NON_SECURITY_GROUP_OBJECT “set l.ad =“ 1 ″ set l.grouptype = “Universal_Security_Group“ set l.adspath = “LDAP: // '+ line [3] +‚ / CN =' + line [2] + ‚, CN = Users, DC = '+ line [3] +‚ “‚ as cypher CALL apoc.cypher.doIt (cypher, {}) yield value return value 

Optional if the rights are not displayed after the scan. Then the ACE must be connected to the AD account:

USING PERIODIC COMMIT 1000 LOAD CSV FROM 'file: /// c: /temp/lokaleGruppen.csv'AS line FIELDTERMINATOR' \ t 'match (a: ACE) - [: rel_right0] -> (o: ResourceSearch) where a.sid = line [1] with distinct a, line match (b: ADAccount) where b.objectSID = line [1] merge (a) - [: rel_ace] -> (b)

USING PERIODIC COMMIT 1000 LOAD CSV FROM ‚file: /// c: /temp/MemberGruppen.csv'AS line FIELDTERMINATOR', 'match (l: ADAccount {objectSID: line [0]}) match (d: ADAccount {objectSID: line [1]}) merge (l) - [: rel_member] -> (d)

Important: To display local accounts in the table

Check whether the parameters for the transferred accounts are completely set.

In particular the value ADsPath

At this point the domain should be or the value of the under domain is deposited.

Using the example of an IP, the Cypher query / modification of the ADsPath be executed in the database like this:

match (n: ADAccount) where n.domain = “10.116.9.38 ″ set n.adspath =“ 10.116.9.38 ″ return n



Permanent link to this post: https://help.migraven.com/neo4j-serverlokale-gruppen-importieren/