[SOLVED] Upgrading from old Zope 2 - user management issues

I've inherited an old Zope 2.10 website. From what I can tell the current iteration was installed from the Plone 3.1 UnifiedInstaller.
I understand the recommendation is to make the update over multiple hops.
The first hop I've chosen is using the Plone 4.3 UnifiedInstaller.
The standalone installation seems like it is working fine, except I'm having user management issues.

1 ) I cannot change the basic acl_users into a PAS.
I found an old thread saying the procedure is to create a PAS in a different folder, then delete the root acl_users and move the PAS to root.
This doesn't work. As soon as I delete the root acl_users the ZMI logs me out and I cannot get back in. So, I end up restoring the backup Data.fs.

2 ) I can only log in as the initial "admin" user.
I realized I don't really need to emulate the existing website. A basic acl_users should work in the root location.
The issue is, any users I create in acl_users cannot login.
I've tried different users. I've tried changing the passwords. Still, only "admin" can login.
Here is the error from the Zope error log from trying to login as not-admin:

User Name (User Id) Anonymous User (None)
Request URL http://redacted_ip/manage
Exception Type  Unauthorized
Exception Value You are not authorized to access this resource.
Traceback (innermost last):

Module ZPublisher.Publish, line 127, in publish
Module ZPublisher.BaseRequest, line 623, in traverse
Module ZPublisher.HTTPResponse, line 756, in unauthorized
Unauthorized: You are not authorized to access this resource.

REQUEST
form
cookies
tree-s  'eJyLjlZyhANXW6XYWAAtFgTB'
lazy items
SESSION <bound method SessionDataManager.getSessionData of <SessionDataManager at /session_data_manager>>
other
TraversalRequestNameStack []
URL 'http://redacted_ip/manage'
VIRTUAL_URL 'http://redacted_ip/manage'
SERVER_URL  'http://redacted_ip'
traverse_subpath  []
PUBLISHED <plone.app.theming.zmi.NoThemeDTMLFile object at 0x7f889c188490>
method  'GET'
ACTUAL_URL  'http://redacted_ip/manage'
VIRTUAL_URL_PARTS ('http://redacted_ip', 'manage')
URL0  http://redacted_ip/manage
URL1  http://redacted_ip
BASE0 http://redacted_ip
BASE1 http://redacted_ip
BASE2 http://redacted_ip/manage

I suppose I can delete all the objects other than the root acl_users on a throw away Zope 2.10 test server, then load the cleaned up Data.fs in the Zope 2.13 site, but I'd like to understand why new root level users can't log in in-case it happens in the future on a production server.

I cannot change the basic acl_users into a PAS.

Try adding a new Plone site. The install steps for Products.PlonePAS include a function which upgrades the root acl_users.

I can only log in as the initial "admin" user.

I don't know, but maybe this is a side effect of not having PAS for the root acl_users.

You can login but maybe you don't have any role. Try adding a role but following the @davisagli suggestion should solve all issues. You can always define an emergency user at zope level, so you can login with that user and delete/recreate acl_users.

Thank both of you.
Creating a Plone site did indeed upgrade the root acl_users to a PAS.
Also, it wasn't obvious in the UI, especially since my user in the basic user folder looked just like the "admin" user, but I tested with another basic user folder inside a junk folder and the roles explicitly need to be assigned.