About to break trust between NT4 domain and AD domain, need to find way to automatically change all ntfs permissions

We have an old NT4 domain (domain1) that we are about to shut down.  We have a new AD domain (domain2).  There is a trust setup between the two domains.  We have thousands of folders and files throughout the new AD domain, that, when their security permissions are viewed, only have permissions for groups and users related to the old domain.  For example, the security tab properties on a folder in the new AD domain may show domain1\jsmith or domain1\domain admins.  I am afraid that when I end the trust and shutdown the old domain that thousands of network resources will become unavailable because of this.  
Is there a 3rd party utility or a tool in Server2003 that will scan all network files/folders and either add the appropriate permissions for each item or modify the permissions that exist.  All of the users & groups were replicated over to the new domain so they all exist, however most of the folder structure was created prior to the new domain being created so most of the security permissions are relevant to that domain.  
I need some advice on how best to handle this.  I can't possibly manually update each and every folder. Thanks.
Who is Participating?
LauraEHunterMVPConnect With a Mentor Commented:
The ADMT Computer Migration Wizard should suffice to re-ACL a server computer.  If your particular environment does not allow for this, you would need to use something like xcacls as listed here: http://support.microsoft.com/default.aspx/kb/318754

As I indicated above, the SIDHistory attribute is only viable so long as the trust relationship is in place.
shockeyAuthor Commented:
a colleague just told me that when the AD Migration utility was used to migrate the user accounts and groups from the old NT domain to the new AD domain that it was supposed to associate these account and groups on the new domain with the existing SID from the old NT domain.  If this is the case, then after the trust is broken and only the security groups for the old domain exist on the permissions tab of the network folders, should the permissions still properly work?  Thanks in advance.

SIDHistory will only take effect so long as the trust relationship is still in place. Most AD migration utilities will have an option available to re-ACL file servers so that any reference to Domain1\User are updated to include an identical reference to Domain2\User.  If this was not done, you will need to determine if the utility, whatever it was, is still in place in your organization so that you can do so prior to breaking the trust. Obviously I can't offer specific advice on what was or was not done in your environment or what state (if any) your migration toolset was left in, this is something you'll need to investigate on your own.

If this is not an option for you, you'll need to do so somewhat manually - use something like xcacls to dump your existing permissions out to a text or CSV file, then modify that file to reference the security principals from your new domain, then apply the new permissions en masse prior to breaking the trust.

shockeyAuthor Commented:
The Active Directory Migration Tool (ADMT) from Microsoft was used to migrate the users, computers and groups from the NT4 domain to the Active Directory Domain.  Does this utility offer the option to update Domain1\user to Domain2\user as you have described?  Are you certain that the sidhistory attribute will not be useable after the trust is broken?  
If I use a utility to dump out the permissions to CSV, can I do a simple "find and replace" to change all domain1 entries for domain2?  If so, will the same utility import the new permissions back?  If not, how would you recommend I import the new permissions back to the appropriate folders?  Thanks.
All Courses

From novice to tech pro — start learning today.