Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


About to break trust between NT4 domain and AD domain, need to find way to automatically change all ntfs permissions

Posted on 2008-06-24
Medium Priority
Last Modified: 2013-12-04
We have an old NT4 domain (domain1) that we are about to shut down.  We have a new AD domain (domain2).  There is a trust setup between the two domains.  We have thousands of folders and files throughout the new AD domain, that, when their security permissions are viewed, only have permissions for groups and users related to the old domain.  For example, the security tab properties on a folder in the new AD domain may show domain1\jsmith or domain1\domain admins.  I am afraid that when I end the trust and shutdown the old domain that thousands of network resources will become unavailable because of this.  
Is there a 3rd party utility or a tool in Server2003 that will scan all network files/folders and either add the appropriate permissions for each item or modify the permissions that exist.  All of the users & groups were replicated over to the new domain so they all exist, however most of the folder structure was created prior to the new domain being created so most of the security permissions are relevant to that domain.  
I need some advice on how best to handle this.  I can't possibly manually update each and every folder. Thanks.
Question by:shockey
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Author Comment

ID: 21860351
a colleague just told me that when the AD Migration utility was used to migrate the user accounts and groups from the old NT domain to the new AD domain that it was supposed to associate these account and groups on the new domain with the existing SID from the old NT domain.  If this is the case, then after the trust is broken and only the security groups for the old domain exist on the permissions tab of the network folders, should the permissions still properly work?  Thanks in advance.

LVL 30

Expert Comment

ID: 21865540
SIDHistory will only take effect so long as the trust relationship is still in place. Most AD migration utilities will have an option available to re-ACL file servers so that any reference to Domain1\User are updated to include an identical reference to Domain2\User.  If this was not done, you will need to determine if the utility, whatever it was, is still in place in your organization so that you can do so prior to breaking the trust. Obviously I can't offer specific advice on what was or was not done in your environment or what state (if any) your migration toolset was left in, this is something you'll need to investigate on your own.

If this is not an option for you, you'll need to do so somewhat manually - use something like xcacls to dump your existing permissions out to a text or CSV file, then modify that file to reference the security principals from your new domain, then apply the new permissions en masse prior to breaking the trust.


Author Comment

ID: 21898869
The Active Directory Migration Tool (ADMT) from Microsoft was used to migrate the users, computers and groups from the NT4 domain to the Active Directory Domain.  Does this utility offer the option to update Domain1\user to Domain2\user as you have described?  Are you certain that the sidhistory attribute will not be useable after the trust is broken?  
If I use a utility to dump out the permissions to CSV, can I do a simple "find and replace" to change all domain1 entries for domain2?  If so, will the same utility import the new permissions back?  If not, how would you recommend I import the new permissions back to the appropriate folders?  Thanks.
LVL 30

Accepted Solution

LauraEHunterMVP earned 1000 total points
ID: 21912837
The ADMT Computer Migration Wizard should suffice to re-ACL a server computer.  If your particular environment does not allow for this, you would need to use something like xcacls as listed here: http://support.microsoft.com/default.aspx/kb/318754

As I indicated above, the SIDHistory attribute is only viable so long as the trust relationship is in place.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question