Solved

Migration to windows 2003. Replace ACLs

Posted on 2004-08-28
2
839 Views
Last Modified: 2012-08-14
Hello,
We are planning the migration to Windows 2000. We are going to use ADMT v2 to help us with the process.

Scenario:

-nt 4.0 Domain A (accounts and resources) for a Business unit
-nt 4.0 Domain B (accounts and resources) for a Business unit.
-New Domain w2k3 for consolidating domains.

two-way trust between Domain A and Domain B
two-way trust between Domain A and Domain w2k3
two-way trust between Domain B and Domain w2k3

There are users in Domain A who access to shared folders in Domain B.
There are users in Domain B who access to shared folders in Domain A.


Using Admt v2 we are going to migrate users from Domain A to Domain W2k3, using Sids history, so the migrated users to the Domain w2k3 will be able to access to the resources in Domain A and Domain B (through Sid-History).

Ok, at the end of the migration process in Domain A,  we would like  to run the Security translation wizard to replace the Old SID in the migrated objects for the New SiDs. Ok ADMT V2 will work well for the migrated objects (from the Domain A) and will replace the SIDs. After this, theorically, if all is ok, we could remove pdc and bdc. However, the question is for the ACLs which exist in Domain B  (referencing users of Domain A who have been migrated to the new domain), What will happen ?. Once We remove the Domain A, this ACEs will appear as "Unkown account",
Are there any tools to scan and  replace ACEs in other domains resources where appears ACEs refering to users and groups in Domain A?

thanks in advance










0
Comment
Question by:intentalo69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 11922736
Yes; subinacl.exe from the W2k3 Resource Kit Tools is able to replace ACEs.

====8<----[subinacl.exe]----
SubInAcl enables administrators to:
[...]
* Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
The /replace and /changedomain options change security information in the Owner, System ACL, and Discretionary ACL fields, but the Primary Group information is never replaced. For example, /replace=DOM_MARKETING\ChairMan=NEWDOM\NewChairMan replaces all access control entries (ACEs) and owners containing DOM_MARKETING\ChairMan with the NewChairMan SID retrieved from NEWDOM domain.
* Migrate security information on objects.
This is useful if you have reorganized a network's domains and need to migrate the security information on files from one domain to another.
For example, /changedomain=OldDomainName=NewDomainName replaces all ACEs with a SID from OldDomainName with the equivalent SID found in NewDomainName
====8<----[subinacl.exe]----

Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
0
 

Author Comment

by:intentalo69
ID: 11929959
Ok, thanks very much for the answer,

Anyway, do you Know any General script which include this SUBINACL tool in order to replcace rhe rights.
For example a script with input parameters such as files with the servers to be scanned,
Sid mappings files indicating the correspondence between the existing SID to be replaced and the new SID we want to include (we would prepare this files). ???

Thanks again
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question