Folder Permissions - Domain Migration without Trust being setup

Posted on 2008-10-30
Last Modified: 2013-12-05
We are currently switching our entire infrastructure to a new domain, logically & Physically. There is no trusts between these domains. All users and groups have been recreated on the new domain. OLDDOM is AD 2003 / server is 2000 Adv. NEWDOM is 2008 / servers 2008 / 2003 (for legacy apps)

On the OLDDOM we have multiple levels of security and permissions set, some as deep as 25 levels from the directory root. We don't want to have recreate this entire structure, we want to replicate it. We cannot loose this permissioning schema.

I have used ROBOCOPY to transfer the folder and file structure of 1 of the folder branches, using the /COPY:DATS to ensure that the security descriptors remain complete. It is transferred to an external drive from OLDDOM and then attached to NEWDOM.

Prior to transferring up to the server from the external drive, I want to change all permissions for OLDDOM to NEWDOM. All accounts have been re-created new on the NEWDOM.

So far I have tried (after losing a week with powershell get-acl and set-acl):

SetACL.exe - My Input & Output.

SetACL.exe -on MYFOLDER -ot file -actn domain -rec cont_obj -dom "n1:OLDDOM;n2:NEWDOM;da:repldom;w:dacl"

ERROR: AddDomain: Domain name <OLDDOM> is probably incorrect.
ERROR while processing command line: Domain: n1:OLDOM;n2:NEWDOM;da:repldom;w:dacl could not be set!

SubinACL.exe - My Input & Output
subinacl /subdirectory T:\MYFOLDER\*.* /migratetodomain=OLDDOM=NEWDOM
WARNING : Error parsing line +subdirectory t:\myfolder\*.*
Use :
SubInacl /help to get the usage information
SubInAcl /help syntax to understand SubInAcl syntax.

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        1
Last Syntax Error:WARNING : Error parsing line +subdirectory t:\myfolder\*.*

Can anyone help in this situation. I am pulling my hair out in Despair...

Question by:Gr8-Ideas
  • 3
  • 3
  • 2
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22849507
You nead to configure trust to be able to transfer permissions between domains.

Author Comment

ID: 22879659
Thanks henjoh09

This unfortunatley does not help as no trust can be established.

from the subinacl.exe help

Specifies a text file that matches user names to their SIDs, and directs SubInACL to look up SIDs in this file instead of on the server on which the object is located. This is useful if the domain is unaccessible or no longer exists.


The task in this example is to migrate the security settings of the files on a server from one domain to another. This example assumes that you have access to the source domain and know you will not have access to it during the migration.
Store a record of user names and their corresponding SIDs from the source domain in a text file named C:\Samfile.txt. Use the following format:
[Domain\UserName | Server\UserName]=SID
Type the following at the command line:
subinacl /offlinesam=C:\SAMFILE.TXT /subdirect \\SERVER\SHARE\*.* /migratetodomain=SOURCEDOMAIN=DESTDOMAIN
Press ENTER.

When I run this however, I get -

 Could not find domain name in SAM cache file: NEWDOM
Error finding domain name : 87 The parameter is incorrect.

Any clues, anyone??
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22880270
Sorry, I missed that subinacl has /offlinesam
/offlinesam is for source domain. With the error posted, it sounds like you've swapped the parameters.
/migratetodomain will add NEWDOM-ACE into ACLs. As the old domain is offline and not usable, I guess it would be better to use /changedomain to replace ACE with NEWDOM
Optional argument is to add a mapping file in the changedomain and migratedomain parameters.

subinacl /offlinesam=C:\SAMFILE.TXT /subdirect c:\folder\*.* /changedomain=OLDDOM=NEWDOM=C:\mapping.txt


What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 22887711

I have created the mapping file as suggested:

subinacl /offlinesam=C:\cached_sids.txt /subdirect C:\folder\*.* /changedomain=OLDDOM=NEWDOM=C:\mapping.txt

Sample of cached sid:

Sample of mapping.txt
domain admins=domain admins
domain users=domain users

Here is the error:

 Could not find domain name in SAM cache file: NEWDOM
Error finding domain name : 87 The parameter is incorrect.

Current object C:\folder\*.* will not be processed

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        1
Last Syntax Error:WARNING : /changedomain=OLDDOM=NEWDOM=C:\mapping.txt : Error when checking arguments - C:\folder\*.*

This is now becoming critical. As some educated manager has suggested that this can be done manually quicker than a scritped solution!!!

Any help appreciated.
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22899191
Remove __cachefileonly__ from cached_sids.txt

From subinacl help:
"With the __cachefileonly__ line in the file, SubInAcl.exe will not query SAM Server(s) anymore. All needed SIDs should be found in the SAM cache file"

Author Comment

ID: 22917502
Hi henjoh09

I removed the __cachefileonly__ line in the file.

Now It reverts to looking for the OLDDOM SAM server. Error is:

1355 Could not find domain name : OLDDOM
Error finding domain name : 1355 The specified domain either does not exist or could not be contacted.

Aggggggggggggggghhhhhhhhhhhhhhhh !!!!!!!!!!!

There is a solution to this, I know there is...............

Expert Comment

ID: 23260184
Here is my fix
Create the /offlinesam=C:\source.txt
copy file to destination server
add the following lines to the end of the file
domaina=the SID for the domain
domainb=the SID for the domain
I used psgetSID to get the sid of one  domain controller in each domain

Then I created a temp folder on my destination server with all the users and groups on it
I then created another /offlinesam=Destination.txt of the temp file
I then appended the contents of the destination file to the end of the source file and ran the command as follows
Subinacl /offlinesam=C:\source.txt /subdirect C:\data\*.* /changedomain=domaina=domain

Sample file
domaina\domain users=MYSIDA
domainb\domain users=MYSIDB

Accepted Solution

dsesko earned 500 total points
ID: 23260202
Upon further testing
i also found that if you remove the  __cachefileonly__  from the top of the source file and just add the
the sid from the source domain it works as well

Hope this helps

domaina\domain users=MYSIDA

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question