• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5121
  • Last Modified:

Folder Permissions - Domain Migration without Trust being setup

We are currently switching our entire infrastructure to a new domain, logically & Physically. There is no trusts between these domains. All users and groups have been recreated on the new domain. OLDDOM is AD 2003 / server is 2000 Adv. NEWDOM is 2008 / servers 2008 / 2003 (for legacy apps)

On the OLDDOM we have multiple levels of security and permissions set, some as deep as 25 levels from the directory root. We don't want to have recreate this entire structure, we want to replicate it. We cannot loose this permissioning schema.

I have used ROBOCOPY to transfer the folder and file structure of 1 of the folder branches, using the /COPY:DATS to ensure that the security descriptors remain complete. It is transferred to an external drive from OLDDOM and then attached to NEWDOM.

Prior to transferring up to the server from the external drive, I want to change all permissions for OLDDOM to NEWDOM. All accounts have been re-created new on the NEWDOM.

So far I have tried (after losing a week with powershell get-acl and set-acl):

SetACL.exe - My Input & Output.

SetACL.exe -on MYFOLDER -ot file -actn domain -rec cont_obj -dom "n1:OLDDOM;n2:NEWDOM;da:repldom;w:dacl"

ERROR: AddDomain: Domain name <OLDDOM> is probably incorrect.
ERROR while processing command line: Domain: n1:OLDOM;n2:NEWDOM;da:repldom;w:dacl could not be set!

SubinACL.exe - My Input & Output
subinacl /subdirectory T:\MYFOLDER\*.* /migratetodomain=OLDDOM=NEWDOM
WARNING : Error parsing line +subdirectory t:\myfolder\*.*
Use :
SubInacl /help to get the usage information
SubInAcl /help syntax to understand SubInAcl syntax.

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        1
Last Syntax Error:WARNING : Error parsing line +subdirectory t:\myfolder\*.*

Can anyone help in this situation. I am pulling my hair out in Despair...

  • 3
  • 3
  • 2
1 Solution
Henrik JohanssonSystems engineerCommented:
You nead to configure trust to be able to transfer permissions between domains.
Gr8-IdeasAuthor Commented:
Thanks henjoh09

This unfortunatley does not help as no trust can be established.

from the subinacl.exe help

Specifies a text file that matches user names to their SIDs, and directs SubInACL to look up SIDs in this file instead of on the server on which the object is located. This is useful if the domain is unaccessible or no longer exists.


The task in this example is to migrate the security settings of the files on a server from one domain to another. This example assumes that you have access to the source domain and know you will not have access to it during the migration.
Store a record of user names and their corresponding SIDs from the source domain in a text file named C:\Samfile.txt. Use the following format:
[Domain\UserName | Server\UserName]=SID
Type the following at the command line:
subinacl /offlinesam=C:\SAMFILE.TXT /subdirect \\SERVER\SHARE\*.* /migratetodomain=SOURCEDOMAIN=DESTDOMAIN
Press ENTER.

When I run this however, I get -

 Could not find domain name in SAM cache file: NEWDOM
Error finding domain name : 87 The parameter is incorrect.

Any clues, anyone??
Henrik JohanssonSystems engineerCommented:
Sorry, I missed that subinacl has /offlinesam
/offlinesam is for source domain. With the error posted, it sounds like you've swapped the parameters.
/migratetodomain will add NEWDOM-ACE into ACLs. As the old domain is offline and not usable, I guess it would be better to use /changedomain to replace ACE with NEWDOM
Optional argument is to add a mapping file in the changedomain and migratedomain parameters.

subinacl /offlinesam=C:\SAMFILE.TXT /subdirect c:\folder\*.* /changedomain=OLDDOM=NEWDOM=C:\mapping.txt


What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Gr8-IdeasAuthor Commented:

I have created the mapping file as suggested:

subinacl /offlinesam=C:\cached_sids.txt /subdirect C:\folder\*.* /changedomain=OLDDOM=NEWDOM=C:\mapping.txt

Sample of cached sid:

Sample of mapping.txt
domain admins=domain admins
domain users=domain users

Here is the error:

 Could not find domain name in SAM cache file: NEWDOM
Error finding domain name : 87 The parameter is incorrect.

Current object C:\folder\*.* will not be processed

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        1
Last Syntax Error:WARNING : /changedomain=OLDDOM=NEWDOM=C:\mapping.txt : Error when checking arguments - C:\folder\*.*

This is now becoming critical. As some educated manager has suggested that this can be done manually quicker than a scritped solution!!!

Any help appreciated.
Henrik JohanssonSystems engineerCommented:
Remove __cachefileonly__ from cached_sids.txt

From subinacl help:
"With the __cachefileonly__ line in the file, SubInAcl.exe will not query SAM Server(s) anymore. All needed SIDs should be found in the SAM cache file"
Gr8-IdeasAuthor Commented:
Hi henjoh09

I removed the __cachefileonly__ line in the file.

Now It reverts to looking for the OLDDOM SAM server. Error is:

1355 Could not find domain name : OLDDOM
Error finding domain name : 1355 The specified domain either does not exist or could not be contacted.

Aggggggggggggggghhhhhhhhhhhhhhhh !!!!!!!!!!!

There is a solution to this, I know there is...............
Here is my fix
Create the /offlinesam=C:\source.txt
copy file to destination server
add the following lines to the end of the file
domaina=the SID for the domain
domainb=the SID for the domain
I used psgetSID to get the sid of one  domain controller in each domain

Then I created a temp folder on my destination server with all the users and groups on it
I then created another /offlinesam=Destination.txt of the temp file
I then appended the contents of the destination file to the end of the source file and ran the command as follows
Subinacl /offlinesam=C:\source.txt /subdirect C:\data\*.* /changedomain=domaina=domain

Sample file
domaina\domain users=MYSIDA
domainb\domain users=MYSIDB
Upon further testing
i also found that if you remove the  __cachefileonly__  from the top of the source file and just add the
the sid from the source domain it works as well

Hope this helps

domaina\domain users=MYSIDA

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now