How to assign NTFS permissions to data after a Novell Netware data migration

Posted on 2007-10-19
Last Modified: 2008-10-05
I am looking to migrate data from Netware > Windows 2003.  Users have been migrated and works fine.
I have 2 options (That I know of)
1.      Migrate data using Robocopy and then create a script to re-assign NTFS ACLs mirrored from Netware
2.      Use Microsoft Windows Services for NetWare 5.03 tool.

The company has directory sync. In place between AD and Netware using DirXML so all user/groups are populated.  This I thought may rule out the option of using option 2 as I have read that you must sync the accounts to create a txt file to use in the file migration stage but it looks like with some work that the text file can be manually created.  This option would recreate ACLs within NTFS which would be good news.   The other option is to use Robocopy to copy all data over and then to somehow recreate the ACLs either manually which would be a nightmare or by some sort of script.

Are there any scripts are out there to re-create the ACLs as I would be happy with this method?.

Question by:clarkeyi
    LVL 19

    Accepted Solution

    First of all, my condolences on your migration to the legacy Windows platform.

    What you're doing is not very difficult. You simply need to decide how you are going to map the various permissions from one filesystem to another. If you use a utility like Trustbar.nlm you can dump the permissions of an entire volume to a text file. With a little manipulation, search/replace etc.. in Excel (about 10 minutes worth) you can create a batch file to run a load of CACLS commands to set the permissions on your NTFS filesystem.
    LVL 35

    Assisted Solution

    How complex is your setup?

    One concern I have for you is that you have to now use the limitations of Windows NTFS and AD groups and share access.  

    In order to not make it a major pain in the rear to manage, you really should re-examine how rights are granted now, in eDirectory-NWFS/NSS and how they have to be managed in AD-NTFS.  

    The recommendation by Microsoft to get around the inherent limitations of their technologies is to use AGUDLP for granting all permissions.  There is no visibility of who has what permissions - you can only tell from the resource level, not the user level.  A brief explanation of AGUDLP:

    A - Account
    G - Global Group
    U - Universal Group
    DL - Domain Local Group
    P - Permissions.

    You make user Accounts members of Global groups, which are then made members of Universal groups, which are given membership in Domain Local groups which are granted Permissions to resources.

    No individual rights assignments directly to users.
    No users made members of Domain Local groups.
    This way you can have visibility to permissions, based on group membership.

    If you have a flat forest with only one domain, you can skip the Universal group level.  You can go cross-domain with transitive-trust directly to global groups too, if there are only one or two.  You lose membership visibility when you go cross-domain for memberships, though, which is why the Universal group gets used as the interim between Global and Domain Local.

    Trying to fit the Novell model with its dynamic inheritance and two-way full visibility into that scheme is not an exercise for the weak-willed.  Simply translating trustee rights into ACLs does not fit that scheme, and will only add headaches, and you may want to buy a couple of cases of Mylanta as well as Tylenol.

    Author Comment

    Thanks Alextoft & ShineOn
    Shineon - you are correct they should go to the AGUDLP method but they have requested to keep the same structure unfortunatley with tight deadlines.
    Alextoft, I think I will follow your method - I initially exported all trustee rights using a Netware tool called 'Trustees'  I now have this imported as a CSV file in excel.  Do you know how this compares to Trustbar.NLM.
    I have managed to separate the information into the following columns - File/Folder location,  User/Group, context, Trustee Rights. - Does Trustbar produce the same information?

    One last question do you have any examples of the Xcalcs scripting method as this company has rights on individual files and I am hopeing Xcalcs can handle this without too much work from myself!


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, ( because one time I did this and I essentially had a bricked …
    Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now