About to break trust between NT4 domain and AD domain, need to find way to automatically change all ntfs permissions

Posted on 2008-06-24
Last Modified: 2013-12-04
We have an old NT4 domain (domain1) that we are about to shut down.  We have a new AD domain (domain2).  There is a trust setup between the two domains.  We have thousands of folders and files throughout the new AD domain, that, when their security permissions are viewed, only have permissions for groups and users related to the old domain.  For example, the security tab properties on a folder in the new AD domain may show domain1\jsmith or domain1\domain admins.  I am afraid that when I end the trust and shutdown the old domain that thousands of network resources will become unavailable because of this.  
Is there a 3rd party utility or a tool in Server2003 that will scan all network files/folders and either add the appropriate permissions for each item or modify the permissions that exist.  All of the users & groups were replicated over to the new domain so they all exist, however most of the folder structure was created prior to the new domain being created so most of the security permissions are relevant to that domain.  
I need some advice on how best to handle this.  I can't possibly manually update each and every folder. Thanks.
Question by:shockey
  • 2
  • 2

Author Comment

Comment Utility
a colleague just told me that when the AD Migration utility was used to migrate the user accounts and groups from the old NT domain to the new AD domain that it was supposed to associate these account and groups on the new domain with the existing SID from the old NT domain.  If this is the case, then after the trust is broken and only the security groups for the old domain exist on the permissions tab of the network folders, should the permissions still properly work?  Thanks in advance.

LVL 30

Expert Comment

Comment Utility
SIDHistory will only take effect so long as the trust relationship is still in place. Most AD migration utilities will have an option available to re-ACL file servers so that any reference to Domain1\User are updated to include an identical reference to Domain2\User.  If this was not done, you will need to determine if the utility, whatever it was, is still in place in your organization so that you can do so prior to breaking the trust. Obviously I can't offer specific advice on what was or was not done in your environment or what state (if any) your migration toolset was left in, this is something you'll need to investigate on your own.

If this is not an option for you, you'll need to do so somewhat manually - use something like xcacls to dump your existing permissions out to a text or CSV file, then modify that file to reference the security principals from your new domain, then apply the new permissions en masse prior to breaking the trust.


Author Comment

Comment Utility
The Active Directory Migration Tool (ADMT) from Microsoft was used to migrate the users, computers and groups from the NT4 domain to the Active Directory Domain.  Does this utility offer the option to update Domain1\user to Domain2\user as you have described?  Are you certain that the sidhistory attribute will not be useable after the trust is broken?  
If I use a utility to dump out the permissions to CSV, can I do a simple "find and replace" to change all domain1 entries for domain2?  If so, will the same utility import the new permissions back?  If not, how would you recommend I import the new permissions back to the appropriate folders?  Thanks.
LVL 30

Accepted Solution

LauraEHunterMVP earned 250 total points
Comment Utility
The ADMT Computer Migration Wizard should suffice to re-ACL a server computer.  If your particular environment does not allow for this, you would need to use something like xcacls as listed here:

As I indicated above, the SIDHistory attribute is only viable so long as the trust relationship is in place.

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now