Web Wiz - Green Windows Web Hosting
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - Non AD to AD upgrade strategy.
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Non AD to AD upgrade strategy.
 Post Reply Post Reply Page  <123>
Author
  Topic Search Topic Search  Topic Options Topic Options
p3ter View Drop Down
Newbie
Newbie


Joined: 06 July 2004
Status: Offline
Points: 22 		Post Options Post Options   Thanks (0) Thanks(0)   Quote p3ter Quote  Post ReplyReply Direct Link To This Post Posted: 07 May 2008 at 11:03am
Thanks so much for the help Jono.
 
We came across a number of additional problems that made this even more complicated, so it's become a very manual task!
  • Converting the table from the old version created unicode conversion problems - all members with international characters in their usernames were replaced with the '' symbol (e.g. Björn Fältskog becomes Bjrn Fltskog)
  • Our company standard is to 'anglify' international characters using the standard english alphabet, (e.g. Björn Fältskog becomes Bjorn Faltskog)

So... it's become simpler to manually check & amend all users before updating them to AD users.

We also realized that since it will be a lot of work, we should try purge all old users,and ignore all users that are no longer at the company - for historical purposes its good that all old posts have a 'real' owner (deleting the user would mean that all their posts becomes owned by the username 'Guests') but they don't need to become AD users, and this will save us some time in the manual editing.
 
So the goals are:
  • Remove ALL users who have never posted - they can update their member profile in their new automatically created AD user.
  • Leave all ex-employees with any posts as 'local' users
  • Leave current employees with very low post counts as 'local users'
  • Rename all current & active users using their AD name.
  • Update all current & active users to AD users. (change the user_code field to 'DOMAIN\User name') with the now correct user name.
Since we need the old forum to stay in production and this is taking a long time, this is the process we are following:
  1. Back up the old 7.7 forum database
  2. Install a test version of 9.x forum in a new folder
  3. Create a new empty SQL database for 9.x
  4. Import all old database tables into new database
  5. Setup & Configure new 9.x forum
  6. Run 'Batch Delete Members' to remove ALL users who have never posted, irrespective of signup date
  7. Ask internal systems for an exported list that compares 'AD Name' to 'Real Name'
  8. Decide a 'break point' for manual user checking, of e.g. 25 posts.
  9. Go into Admin/Member Administration & Sort by # Posts (descenfing)
  10. Manually check every username against their AD user - rename to AD user as necessary.
  11. For renamed users with international characters, enter their 'plain english' AD name, and also enter their 'real name' in the real name field.

Remaining steps - not done yet.

Create the correct user_code field similar to in Jono's instructions above. (actually, we have done it with a query that takes into account employment, signup date  & number of posts and excludes admin users, so we are using "where Author_ID" followed by a big lists of authors that are:
a) currently employed
b) have posted more than 'n' posts
c) not local admin users
I'm not sure of the value of Jono's 'CheckWebWizAgainstNT' vbscript, since we will have so many exceptions anyway, but i'll try it just to see.
 
Finally, merge the new amended users table with the other currently running 7.7 forum tables, import into the new forum, Pay Bruce some money (unbranded for our corporate intranet), and Go Live!
 
 
Back to Top
Jono View Drop Down
Mod Builder Group
Mod Builder Group


Joined: 18 September 2006
Location: United Kingdom
Status: Offline
Points: 100 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Jono Quote  Post ReplyReply Direct Link To This Post Posted: 08 May 2008 at 6:47pm

Well, that quite a bit of work ahead of you. The Unicode issue would be my biggest problem, but this may be helpful: http://forums.webwiz.net/forum_posts.asp?TID=25696

It would probably be possible to write a script to query youe live database and return a list of execption (i.e. members who do not look like they have an AD account). You could then go through this list to see if they are valid or not (and update their Username).
 
The following may be useful if you want to extract a list of users from AD: http://www.rlmueller.net/DocumentUsers.htm
you can add viritually any AD attribute, and this is an excellent site to find which attribute is which: http://www.wisesoft.co.uk/Scripts/activedirectoryschema.aspx
 
Let us know how you get on.
 
Jono
Back to Top
p3ter View Drop Down
Newbie
Newbie


Joined: 06 July 2004
Status: Offline
Points: 22 		Post Options Post Options   Thanks (0) Thanks(0)   Quote p3ter Quote  Post ReplyReply Direct Link To This Post Posted: 12 May 2008 at 12:35pm
Another issue we have come across is that we need to retain a number of 'special' users that are not linked to AD login - we have some non-individual Admin/Mod level users that are used to post offical notices from certain departments, so the login name is "Department Name" rather than "User Name".
 
Since you can't stop the forum from automatically logging in the current windows user, these users will need to manually login as a standard (non-AD) using login_user.asp, and then, when they have finished, manually log out using log_off_user.asp. I'm considering making a small modification to the default page footer to get around this, i.e. by modifying default.asp line 890:
 
Quote <span class="smText"><a href="mark_posts_as_read.asp<% = strQsSID1 %>" class="smLink"><% = strTxtMarkAllPostsAsRead %></a> :: <a href="remove_cookies.asp<% = strQsSID1 %>" class="smLink"><% = strTxtDeleteCookiesSetByThisForum %></a> :: <a href="login_user.asp" class="smLink">Manual Login</a> :: <a href="log_off_user.asp" class="smLink">Manual Logout</a><br /><br /><% = strTxtCookies %></span><br />
 
Which gives:
Quote
Mark all posts as read :: Delete cookies set by this forum :: Manual Login :: Manual Logout
Cookies and JavaScript must be enabled on your web browser in order to use this forum
instead of the original:
Quote Mark all posts as read :: Delete cookies set by this forum
Cookies and JavaScript must be enabled on your web browser in order to use this forum
 
I realize this breaks the style a little, but putting these links up the top where they 'should' be would most likely cause confusion for the majority of AD users.
Back to Top
p3ter View Drop Down
Newbie
Newbie


Joined: 06 July 2004
Status: Offline
Points: 22 		Post Options Post Options   Thanks (0) Thanks(0)   Quote p3ter Quote  Post ReplyReply Direct Link To This Post Posted: 14 May 2008 at 12:52pm
Related to the post above, I now have a new problem with 'Special Users' - when I try to add a new non-AD user using the Admin control panel 'Add new member' feature, I get:
 
HTTP 500 Internal Server Error
 
Is it not possible to add new 'local' users once AD login is activated?
 
And, I cannot promote a new AD user to be an Administrator then log in, since it asks for a non-existent password.
 
So, it looks like  I can only log in as Admin with 'Non-AD' users with admin rights, and only where the user was created before the upgrading the Forum and configuring AD login.
  
And, I try to rename an existing user that has admin rights, i lose the ability to log in as Admin with that user. (I still can log in manually as a local user, with a direct link to login_user.asp, but when logging in via admin.asp i just get an "insufficent permissions" error
 
This is rather chaotic, and is a showstopper for my implementation which is dependent on department/group level (non-AD) 'users' being able to log in manually in parallel to the AD login system - does anyone have any ideas?
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 14 May 2008 at 4:08pm
When you use AD you should only use AD a not non-AD login for the forum.

The built in admin account which is not AD should be left 'as is' and used for logging into the admin area. As the admin area should only need to be entered infrequently once the forum is setup this should not be an issue and for security reasons it is recommend you only have one admin account, if other user accounts need more privileges then you should look at making them moderators.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
p3ter View Drop Down
Newbie
Newbie


Joined: 06 July 2004
Status: Offline
Points: 22 		Post Options Post Options   Thanks (0) Thanks(0)   Quote p3ter Quote  Post ReplyReply Direct Link To This Post Posted: 14 May 2008 at 4:32pm

The problem is twofold, the 'Admin' issue we can live with, however we do need to maintain a number of 'Team/Department/Role' usernames that are used for posting official messages in different parts of the forum. This is critical for us in seperating "unofficial" information, (the personal or professional opinions of the posters), from "official statements", (e.g. an official announcement or policy decision from a central department).

There are other reasons too - the R&D department for example may want the ability to directly comment on technical issues semi-anonymously (by posting from a username called 'Development' for example), without risking that they will become the 'go to guy' for all future questions on that product.
 
In a community forum I can understand that it's all about the individual member, but in a corporate environment it's important that the credibility of certain topics can be boosted above simply the level of 'who posted it', and in a company with average levels of staff turnover it is important that official statements can live longer than the employment contract of the person who posted them.
 
This is 'non-negotiable' for me, so If I can't get it to work, I won't be upgrading. Apart from the fact that the functionality is a bit flaky today, what is the real risk of allowing both Local and AD users? I have tested combining the two for normal forum use (posting, moderating etc) very sucessfully using the manual Login/Logout links above, the only limitation being that I cannot modify the local users in any way while AD user management is enabled.
 
Since this is so important, in the short term I would be prepared to accept heavy limitations in this functionality (even to the level of needing to diable posting, and temporarily reconfigure to local user management just to create or maintain a local user) but of course if there is little technical reason why i need to do this, I would prefer a smarter solution.
 
I would appreciate a quick risk analysis on working in this way if possible.
 
 
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 14 May 2008 at 4:50pm
The problem is that Web Wiz Forums has not been developed for mixed login types, which means that you will find problems like the ones you mention.

If you are prepared for the odd error message and getting your hands dirty in the code you can get mixed login types to work, just that it's not something that has been developed or tested.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
p3ter View Drop Down
Newbie
Newbie


Joined: 06 July 2004
Status: Offline
Points: 22 		Post Options Post Options   Thanks (0) Thanks(0)   Quote p3ter Quote  Post ReplyReply Direct Link To This Post Posted: 16 May 2008 at 9:29am
We tested a brute-force workaround to this, which was deemed as 'just about' acceptable:
  1. In functions_windows_authentication.asp set blnWindowsAuthentication = False
  2. Log in to admin section of the forum and create a new user
  3. In functions_windows_authentication.asp set blnWindowsAuthentication = True

Then use the mods I mentioned previoulsy (direct link to login_user.asp and log_off_user.asp in page footer) to allow temporary use of local users when necessary.

 

It's not pretty, and any changes, no matter how small, to these 'special' users will require taking the forum offline and temporarily disabling windows authentication, but it will do for now, so as of yesterday we are the proud owners of a Premium Edition Single Site Brand Free License Clap

 

Thanks for the assistance Bruce & Jono!
Back to Top
 Post Reply Post Reply Page  <123>

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.