How to assign NTFS permissions to data after a Novell Netware data migration

Posted on 2007-10-19
Medium Priority
Last Modified: 2008-10-05
I am looking to migrate data from Netware > Windows 2003.  Users have been migrated and works fine.
I have 2 options (That I know of)
1.      Migrate data using Robocopy and then create a script to re-assign NTFS ACLs mirrored from Netware
2.      Use Microsoft Windows Services for NetWare 5.03 tool.

The company has directory sync. In place between AD and Netware using DirXML so all user/groups are populated.  This I thought may rule out the option of using option 2 as I have read that you must sync the accounts to create a txt file to use in the file migration stage but it looks like with some work that the text file can be manually created.  This option would recreate ACLs within NTFS which would be good news.   The other option is to use Robocopy to copy all data over and then to somehow recreate the ACLs either manually which would be a nightmare or by some sort of script.

Are there any scripts are out there to re-create the ACLs as I would be happy with this method?.

Question by:clarkeyi
LVL 19

Accepted Solution

alextoft earned 500 total points
ID: 20110986
First of all, my condolences on your migration to the legacy Windows platform.

What you're doing is not very difficult. You simply need to decide how you are going to map the various permissions from one filesystem to another. If you use a utility like Trustbar.nlm you can dump the permissions of an entire volume to a text file. With a little manipulation, search/replace etc.. in Excel (about 10 minutes worth) you can create a batch file to run a load of CACLS commands to set the permissions on your NTFS filesystem.
LVL 35

Assisted Solution

ShineOn earned 500 total points
ID: 20111563
How complex is your setup?

One concern I have for you is that you have to now use the limitations of Windows NTFS and AD groups and share access.  

In order to not make it a major pain in the rear to manage, you really should re-examine how rights are granted now, in eDirectory-NWFS/NSS and how they have to be managed in AD-NTFS.  

The recommendation by Microsoft to get around the inherent limitations of their technologies is to use AGUDLP for granting all permissions.  There is no visibility of who has what permissions - you can only tell from the resource level, not the user level.  A brief explanation of AGUDLP:

A - Account
G - Global Group
U - Universal Group
DL - Domain Local Group
P - Permissions.

You make user Accounts members of Global groups, which are then made members of Universal groups, which are given membership in Domain Local groups which are granted Permissions to resources.

No individual rights assignments directly to users.
No users made members of Domain Local groups.
This way you can have visibility to permissions, based on group membership.

If you have a flat forest with only one domain, you can skip the Universal group level.  You can go cross-domain with transitive-trust directly to global groups too, if there are only one or two.  You lose membership visibility when you go cross-domain for memberships, though, which is why the Universal group gets used as the interim between Global and Domain Local.

Trying to fit the Novell model with its dynamic inheritance and two-way full visibility into that scheme is not an exercise for the weak-willed.  Simply translating trustee rights into ACLs does not fit that scheme, and will only add headaches, and you may want to buy a couple of cases of Mylanta as well as Tylenol.

Author Comment

ID: 20121541
Thanks Alextoft & ShineOn
Shineon - you are correct they should go to the AGUDLP method but they have requested to keep the same structure unfortunatley with tight deadlines.
Alextoft, I think I will follow your method - I initially exported all trustee rights using a Netware tool called 'Trustees'  I now have this imported as a CSV file in excel.  Do you know how this compares to Trustbar.NLM.
I have managed to separate the information into the following columns - File/Folder location,  User/Group, context, Trustee Rights. - Does Trustbar produce the same information?

One last question do you have any examples of the Xcalcs scripting method as this company has rights on individual files and I am hopeing Xcalcs can handle this without too much work from myself!


Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question