Join Log in
Score:0
paypercorn avatar Server

How to migrate User Data to OneDrive without granting administrators permissions

pa flag
paypercorn

Performing a migration of all users "personal" files to OneDrive and I'm quite new to this all.

My small organization is in the process of migrating to SharePoint and OneDrive, and our Users are not synced between On Premise AD and AzureAD/365.

Pretty straightforward right, use SharePoint Migration Tool, use an admin account that has read access to FS shares and a Microsoft account that has access to the destination, and set up CSV with sources and destinations.

Problem, The Folder Redirect GPO has the setting :

  • Grant the user exclusive rights. This setting is enabled by default and is a recommended setting. This setting specifies that the administrator and other users do not have permissions to access this folder.

No admin rights, on the targeted files. And the SharePoint Migration Tool requires READ rights on the source and READ/WRITE on the destination of the migration.

So we have something akin to :

\fileserver\users\user1\Documents \fileserver\users\user2\Documents

Admin Full Control ends after \user1\ and anything beyond requires taking ownership ...

Now my original idea was to just take ownership recursively, migrate to OneDrive and be done with that, my "boss" view is that there should be a way with user logins.

Running completely blank...

Mostly looking for ideas, alternatives or warnings for problems that I would not be expecting.

If it can't be done like this, it can't be done...

261
1 + 5
cn flag
Greg Askew
`For GDPR reasons, admins are not supposed to have read access to user documents` Says who? Someone has to be able access them. This is nonsense. If you make a statement like that, you need to be able to provide hard data to support it.
0
Reply
paypercorn avatar
pa flag
paypercorn
Not my statement per say, but it's the limitation put on us, my "manager" is a GDPR referee in our public organization, and it's set up that way.
0
Reply
cn flag
Greg Askew
GDPR typically applies where entities are interacting with the public. To ensure the data they provide the entity is used in the manner specified in their agreement, and limit the types of data collected and usages. This forum, and M365 in particular are typically used by end user organizations, where most of the data is private/internal and belongs to the entity. Furthermore, you cannot even provide any assurance whatsoever that other entities, such as Microsoft employees, can access the data. Which they certainly can, unless you have encrypted it.
0
Reply
cn flag
Greg Askew
In other words, your question would be simpler and easier to present and answer if you removed all of the non-relevant information on GDPR and just asked how to migrate and manage the data without granting administrators permissions. There are much better ways to protect confidentiality of data than co-mingling non-related concepts and assuming permissions are the solution.
0
Reply
paypercorn avatar
pa flag
paypercorn
You're definitely correct, wanted to illustrate context but waste of time, adjusted the post. For more unecessary context, my entity is a public one, which may lead to a more rigid application of GDPR.
0
Reply
Score:0
joeqwerty avatar Server
cv flag
joeqwerty

You can migrate user data to OneDrive without ever needing to touch user data.

You'll first need to disable your existing Folder Redirection and have the user folders redirected back to the default location. Then you'll need to implement a OneDrive KFM GPO to redirect the user folders to OneDrive.

This doesn't require that admins access user folders in any way, shape, or form.

https://learn.microsoft.com/en-us/sharepoint/redirect-known-folders

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789199(v=ws.11)

As for Microsoft accessing your data, if you have the licensing for it, you can implement Microsoft Purview Customer Lockbox to ensure that they don't without your explicit approval.

https://learn.microsoft.com/en-us/microsoft-365/compliance/customer-lockbox-requests?view=o365-worldwide

+ 4
paypercorn avatar
pa flag
paypercorn
Wish I could do it that way and it's what we want to enable once their account has been pre-provisionned (by migrating current folders). Currently this is not an option as OneDrive redirect / syncing does not like Fileserver redirect. https://serverfault.com/questions/1023197/redirect-known-folder-locations-automatically-to-onedrive-not-to-working-properl
0
Reply
paypercorn avatar
pa flag
paypercorn
Tested it out on a user unaffected by GPO, OneDrive Known Folder Sync is available until the GPO is applied and his Documents are moved to the network share.
0
Reply
joeqwerty avatar
cv flag
joeqwerty
I'm not quite understanding what you're saying, but the users folder redirection to the network share needs to be disabled and the users folders need to be redirected back to the local profile before you can implement the OneDrive KFM.
0
Reply
paypercorn avatar
pa flag
paypercorn
That's what I meant :^)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.