• Uncategorized
  • 0

Migrate homefolders to OneDrive & auto-configure OneDrive with Group Policy

UPDATED POST for migrating homefolders to OneDrive here: https://thoor.tech/2018/07/updated-2018-07-migrate-homefolders-to-onedrive/

 

More and more companies want to move to the Cloud and take advantage of the Office 365 suite. We know how to migrate mail to Exchange Online but how can we migrate our homefolders to OneDrive?

Microsoft have recently make the SharePoint Migration Tool publicly available to help us do the work.

Preparations:

On the machine that will handle the migration – install the following:

Then create a TXT-file with the UserPrincipalName attribute for the users you want to migrate. Change the Filtering or SearchBase value after your environment.

Get-ADUser -Filter * | select UserPrincipalName | Out-File .\users.txt

Then we have a total of three PowerShell scripts what we need to use.

BulkEnqueueOneDriveSite.ps1
The first script makes a pre-provisioning for each user’s OneDrive. Microsoft does not allocate space for the user until you start OneDrive (via the web or the client installed on the computer), but with the help of the script, administrators can do this.

SetOneDriveAdminPermission.ps1
The second script sets an optional Global Admin as an additional administrator for each user’s OneDrive. If we don’t, we cannot migrate from home directory to the user’s OneDrive using the SharePoint Migration Tool.

Set-ADUsersHomeDirectory.ps1
The third script retrieves the OneDrive security group and its members, then sets the members’ home directories to “Read” instead of “Full Control” so no changes are made during the migration phase.

BulkEnqueueOneDriveSite.ps1 

<#
.SYNOPSIS
 This script adds an entry for each user specified in the input file 
 into the OneDrive provisioning queue.
 
 
.DESCRIPTION
 This script reads a text file with a line for each user. 
 Provide the User Principal Name of each user on a new line.
 An entry will be made in the OneDrive provisioning queue for each
 user up to 200 users.

.EXAMPLE

 .\BulkEnqueueOneDriveSite.ps1 -SPOAdminUrl https://contoso-admin.sharepoint.com -InputfilePath C:\users.txt 

.PARAMETER SPOAdminUrl
 The URL for the SharePoint Admin center
 https://contoso-admin.sharepoint.com

.PARAMETER InputFilePath
 The path to the input file.
 The file must contain 1 to 200 users
 C:\users.txt

.NOTES
 This script needs to be run by a SharePoint Online Tenant Administrator
 This script will prompt for the username and password of the Tenant Administrator
#>

param
(
    #Must be SharePoint Administrator URL
    [Parameter(Mandatory = $true)]
    [ValidateNotNullOrEmpty()]
    [string] $SPOAdminUrl,
    
    [Parameter(Mandatory = $true)]
    [ValidateNotNullOrEmpty()]
    [string] $InputFilePath
)

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") | Out-Null
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") | Out-Null
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles") | Out-Null

$ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SPOAdminUrl)

$Users = Get-Content -Path $InputFilePath

if ($Users.Count -eq 0 -or $Users.Count -gt 200)
{
    Write-Host $("Unexpected user count: [{0}]" -f $Users.Count) -ForegroundColor Red
    return 
}

$web = $ctx.Web
Write-Host "Please enter a Tenant Admin username" -ForegroundColor Green
$username = Read-Host

Write-Host "Please enter your password" -ForegroundColor Green
$password = Read-Host -AsSecureString

$ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username,$password )
$ctx.Load($web)
$ctx.ExecuteQuery()

$loader = [Microsoft.SharePoint.Client.UserProfiles.ProfileLoader]::GetProfileLoader($ctx)
$ctx.ExecuteQuery()

$loader.CreatePersonalSiteEnqueueBulk($Users)
$loader.Context.ExecuteQuery()

Write-Host "Script Completed"
Set-OneDriveAdminPermission.ps1

#----
#Set LogfilePath
$LogFilePath = "C:\Users\Administrator\Desktop\AdminUpdate-$(get-date -uformat '%Y-%m-%d-%H_%M').csv"

#----

#Set Variables- AdminUPN must be a global admin account
$adminUPN="admin@contoso.onmicrosoft.com"
$TennantName="contoso"
$secondaryadmin1 = "admin@contoso.onmicrosoft.com"
#$secondaryadmin2 = "admin2@contoso.onmicrosoft.com"

#----

$Credential = Get-Credential -UserName $adminUPN -Message "User Must be a Global Admin"
Connect-SPOService -Url https://$TennantName-admin.sharepoint.com $credential

# Specify your organisation admin central url

$AdminURI = "https://$TennantName-admin.sharepoint.com"
$siteURI = "https://$TennantName-my.sharepoint.com"

$loadInfo1 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
$loadInfo2 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
$loadInfo3 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles")

$creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials ($credential.UserName, $credential.Password)

# Add the path of the User Profile Service to the SPO admin URL, then create a new webservice proxy to access it

$proxyaddr = "$AdminURI/_vti_bin/UserProfileService.asmx?wsdl"
$UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False
$UserProfileService.Credentials = $creds

# Set variables for authentication cookies

$strAuthCookie = $creds.GetAuthenticationCookie($AdminURI)
$uri = New-Object System.Uri($AdminURI)
$container = New-Object System.Net.CookieContainer
$container.SetCookies($uri, $strAuthCookie)
$UserProfileService.CookieContainer = $container

# Sets the first User profile, at index -1

$UserProfileResult = $UserProfileService.GetUserProfileByIndex(-1)
Write-Output "Starting- This could take a while."
$NumProfiles = $UserProfileService.GetUserProfileCount()
$i = 1

# As long as the next User profile is NOT the one we started with (at -1)...

While ($UserProfileResult.NextValue -ne -1)

{

Write-Output "Examining profile $i of $NumProfiles"

"Examining profile $i of $NumProfiles" | Out-File $LogFilePath -Append

# Look for the Personal Space object in the User Profile and retrieve it

# (PersonalSpace is the name of the path to a user's OneDrive for Business site.

# Users who have not yet created a OneDrive for Business site might not have this property set.)

$Prop = $UserProfileResult.UserProfile | Where-Object { $_.Name -eq "PersonalSpace" }

$Url= $Prop.Values[0].Value

# If OneDrive is activated for the user, then set the secondary admin

if ($Url) {

$sitename = $siteURI + $Url

  try

  {

  #If you change the $false to $true this will add a secondary user rather than remove it

    $temp1 = Set-SPOUser -Site $sitename -LoginName $secondaryadmin1 -IsSiteCollectionAdmin $true

    #$temp2 = Set-SPOUser -Site $sitename -LoginName $secondaryadmin2 -IsSiteCollectionAdmin $true

    Write-Output "Updated Secondary Admins for:" $sitename

    "Updated Secondary Admin for: $sitename" | Out-File $LogFilePath -Append

  }

  catch [System.Exception]

  {

   Write-Output $Error[0].Exception

   $Error[0].Exception| Out-File $LogFilePath -Append

  }

}

# And now we check the next profile the same way...

$UserProfileResult = $UserProfileService.GetUserProfileByIndex($UserProfileResult.NextValue)

$i++

}

Write-Output "Completed assigning secondary admin to all users"
Set-ADUserHomeDirectoryPermission.ps1

$users = Get-ADGroupMember -Identity "OneDrive for Business Users" | select SamAccountName
foreach ($user in $users){
    $HomeFolders = Get-ADUser $user.SamAccountName -Properties homedirectory | select Homedirectory
        foreach ($HomeFolder in $HomeFolders) {
            $Path = $HomeFolder.Homedirectory
            $Acl = (Get-Item $Path).GetAccessControl('Access')
            $Username = $user.SamAccountName
            $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, 'Read', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
            $Acl.SetAccessRule($Ar)
            Set-Acl -path $Path -AclObject $Acl
            Write-Host "Replacing $Username's Full Control permission to Read on $Path."
        }
}

Migration Phase

Create a .CSV mapping file containing the path to the user’s home directory and URL to the user’s OneDrive. This is the only thing that needs to be changed. Note that no header should be included in the .CSV-file.

Example of the mapping file:

C:\HomeFolders\Anna,,,https://thoor-my.sharepoint.com/personal/anna_thoor_nu/,Documents,
C:\HomeFolders\Bertil,,,https://thoor-my.sharepoint.com/personal/bertil_thoor_nu/,Documents,
C:\HomeFolders\Erik,,,https://thoor-my.sharepoint.com/personal/erik_thoor_nu/,Documents,
C:\HomeFolders\Gunnar,,,https://thoor-my.sharepoint.com/personal/gunnar_thoor_nu/,Documents,
C:\HomeFolders\Kalle,,,https://thoor-my.sharepoint.com/personal/kalle_thoor_nu/,Documents,
C:\HomeFolders\Maria,,,https://thoor-my.sharepoint.com/personal/maria_thoor_nu/,Documents,

Script to create the .CSV mapping file.

$users = Get-Content .\users.txt
$tenantname = "Contoso"

foreach($user in $users){
   $TOCsv = Get-ADUser -Filter {UserPrincipalName -eq $user} -properties homedirectory | select UserPrincipalName, Homedirectory
   $user = $user.Replace('@','_')
   $user = $user.Replace('.','_')
   Add-Content .\BulkUsers.csv "$($ToCSV.Homedirectory),,,https://$tenantname-my.sharepoint.com/personal/$user/,Documents,"

}

ii .\BulkUsers.csv

Double check that the CSV file looks correct!
Try to take one of the user’s OneDrive URL and when logged in with the Global Admin account specified in the second script, try to reach the user’s OneDrive. If this has been done and you can access the URL, then everything is set.

Start the SharePoint Migration Tool and make sure you use the latest version of the tool.

Sign-in with your Global Admin account for the tenant.
Choose “CSV file for bulk migration”

Locate the file created in the previous script. Then click Add and the tool will check the contents of the file. If there are any errors in the file, the tool will say which row that is wrong.
If everything is correct, you will proceed to the next step.

Click Migrate and wait until migration is complete.
Log in to the Office 365 Admin Center for the tenant and check https://portal.office.com/adminportal/home#/reportsUsage/OneDriveSiteUsage

How to auto-configure the OneDrive client with Group Policy

Preparations

Copy the ADMX / ADML files for OneDrive from your own computer, make sure you run the latest version of OneDrive for the most compatibility.

%LocalAppData%\Microsoft\OneDrive\

Go to the folder that has the latest version in the foldername and then the admin folder.
Copy OneDrive.adml and OneDrive.admx and import them into the Group Policy Central Store. Note that OneDrive.adml should be placed at the en-us folder in the Group Policy Central Store.

GPO settings
Create the following settings in the GPO. When linking the GPO, make sure that both users as computer objects can read the GPO.

Find out the customer’s Tenant ID by running the Azure Active Directory PowerShell module. Type Login-AzureRmAccount and log in. Then you will receive the Tenant ID. Save this GUID for it will be used for GPO settings.

When the user logs in, OneDrive will get their GPO settings and when the user then launches OneDrive it will take 1-2 minutes then OneDrive have auto-configured with the following settings:

  • Log into the OneDrive client with credentials that the user logged in to Windows
  • Auto-enabled by Files On Demand (applies only to Windows 10 1709 – Fall Creators Update)
  • Prevents the user from choosing another location for OneDrive than standard
  • Set default location for OneDrive to %userprofile%

If you need to deploy the OneDrive client to Windows 7 computers with Group Policy you can also do that a few days before the migration so the entire company have the same conditions when you migrate their data.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: