About to break trust between NT4 domain and AD domain, need to find way to automatically change all ntfs permissions

Posted on 2008-06-24
Last Modified: 2013-12-04
We have an old NT4 domain (domain1) that we are about to shut down.  We have a new AD domain (domain2).  There is a trust setup between the two domains.  We have thousands of folders and files throughout the new AD domain, that, when their security permissions are viewed, only have permissions for groups and users related to the old domain.  For example, the security tab properties on a folder in the new AD domain may show domain1\jsmith or domain1\domain admins.  I am afraid that when I end the trust and shutdown the old domain that thousands of network resources will become unavailable because of this.  
Is there a 3rd party utility or a tool in Server2003 that will scan all network files/folders and either add the appropriate permissions for each item or modify the permissions that exist.  All of the users & groups were replicated over to the new domain so they all exist, however most of the folder structure was created prior to the new domain being created so most of the security permissions are relevant to that domain.  
I need some advice on how best to handle this.  I can't possibly manually update each and every folder. Thanks.
Question by:shockey
  • 2
  • 2

Author Comment

ID: 21860351
a colleague just told me that when the AD Migration utility was used to migrate the user accounts and groups from the old NT domain to the new AD domain that it was supposed to associate these account and groups on the new domain with the existing SID from the old NT domain.  If this is the case, then after the trust is broken and only the security groups for the old domain exist on the permissions tab of the network folders, should the permissions still properly work?  Thanks in advance.

LVL 30

Expert Comment

ID: 21865540
SIDHistory will only take effect so long as the trust relationship is still in place. Most AD migration utilities will have an option available to re-ACL file servers so that any reference to Domain1\User are updated to include an identical reference to Domain2\User.  If this was not done, you will need to determine if the utility, whatever it was, is still in place in your organization so that you can do so prior to breaking the trust. Obviously I can't offer specific advice on what was or was not done in your environment or what state (if any) your migration toolset was left in, this is something you'll need to investigate on your own.

If this is not an option for you, you'll need to do so somewhat manually - use something like xcacls to dump your existing permissions out to a text or CSV file, then modify that file to reference the security principals from your new domain, then apply the new permissions en masse prior to breaking the trust.


Author Comment

ID: 21898869
The Active Directory Migration Tool (ADMT) from Microsoft was used to migrate the users, computers and groups from the NT4 domain to the Active Directory Domain.  Does this utility offer the option to update Domain1\user to Domain2\user as you have described?  Are you certain that the sidhistory attribute will not be useable after the trust is broken?  
If I use a utility to dump out the permissions to CSV, can I do a simple "find and replace" to change all domain1 entries for domain2?  If so, will the same utility import the new permissions back?  If not, how would you recommend I import the new permissions back to the appropriate folders?  Thanks.
LVL 30

Accepted Solution

LauraEHunterMVP earned 250 total points
ID: 21912837
The ADMT Computer Migration Wizard should suffice to re-ACL a server computer.  If your particular environment does not allow for this, you would need to use something like xcacls as listed here:

As I indicated above, the SIDHistory attribute is only viable so long as the trust relationship is in place.

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question