Folder Permissions - Domain Migration without Trust being setup

Posted on 2008-10-30
Last Modified: 2013-12-05
We are currently switching our entire infrastructure to a new domain, logically & Physically. There is no trusts between these domains. All users and groups have been recreated on the new domain. OLDDOM is AD 2003 / server is 2000 Adv. NEWDOM is 2008 / servers 2008 / 2003 (for legacy apps)

On the OLDDOM we have multiple levels of security and permissions set, some as deep as 25 levels from the directory root. We don't want to have recreate this entire structure, we want to replicate it. We cannot loose this permissioning schema.

I have used ROBOCOPY to transfer the folder and file structure of 1 of the folder branches, using the /COPY:DATS to ensure that the security descriptors remain complete. It is transferred to an external drive from OLDDOM and then attached to NEWDOM.

Prior to transferring up to the server from the external drive, I want to change all permissions for OLDDOM to NEWDOM. All accounts have been re-created new on the NEWDOM.

So far I have tried (after losing a week with powershell get-acl and set-acl):

SetACL.exe - My Input & Output.

SetACL.exe -on MYFOLDER -ot file -actn domain -rec cont_obj -dom "n1:OLDDOM;n2:NEWDOM;da:repldom;w:dacl"

ERROR: AddDomain: Domain name <OLDDOM> is probably incorrect.
ERROR while processing command line: Domain: n1:OLDOM;n2:NEWDOM;da:repldom;w:dacl could not be set!

SubinACL.exe - My Input & Output
subinacl /subdirectory T:\MYFOLDER\*.* /migratetodomain=OLDDOM=NEWDOM
WARNING : Error parsing line +subdirectory t:\myfolder\*.*
Use :
SubInacl /help to get the usage information
SubInAcl /help syntax to understand SubInAcl syntax.

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        1
Last Syntax Error:WARNING : Error parsing line +subdirectory t:\myfolder\*.*

Can anyone help in this situation. I am pulling my hair out in Despair...

Question by:Gr8-Ideas
  • 3
  • 3
  • 2
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22849507
You nead to configure trust to be able to transfer permissions between domains.

Author Comment

ID: 22879659
Thanks henjoh09

This unfortunatley does not help as no trust can be established.

from the subinacl.exe help

Specifies a text file that matches user names to their SIDs, and directs SubInACL to look up SIDs in this file instead of on the server on which the object is located. This is useful if the domain is unaccessible or no longer exists.


The task in this example is to migrate the security settings of the files on a server from one domain to another. This example assumes that you have access to the source domain and know you will not have access to it during the migration.
Store a record of user names and their corresponding SIDs from the source domain in a text file named C:\Samfile.txt. Use the following format:
[Domain\UserName | Server\UserName]=SID
Type the following at the command line:
subinacl /offlinesam=C:\SAMFILE.TXT /subdirect \\SERVER\SHARE\*.* /migratetodomain=SOURCEDOMAIN=DESTDOMAIN
Press ENTER.

When I run this however, I get -

 Could not find domain name in SAM cache file: NEWDOM
Error finding domain name : 87 The parameter is incorrect.

Any clues, anyone??
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22880270
Sorry, I missed that subinacl has /offlinesam
/offlinesam is for source domain. With the error posted, it sounds like you've swapped the parameters.
/migratetodomain will add NEWDOM-ACE into ACLs. As the old domain is offline and not usable, I guess it would be better to use /changedomain to replace ACE with NEWDOM
Optional argument is to add a mapping file in the changedomain and migratedomain parameters.

subinacl /offlinesam=C:\SAMFILE.TXT /subdirect c:\folder\*.* /changedomain=OLDDOM=NEWDOM=C:\mapping.txt



Author Comment

ID: 22887711

I have created the mapping file as suggested:

subinacl /offlinesam=C:\cached_sids.txt /subdirect C:\folder\*.* /changedomain=OLDDOM=NEWDOM=C:\mapping.txt

Sample of cached sid:

Sample of mapping.txt
domain admins=domain admins
domain users=domain users

Here is the error:

 Could not find domain name in SAM cache file: NEWDOM
Error finding domain name : 87 The parameter is incorrect.

Current object C:\folder\*.* will not be processed

Elapsed Time: 00 00:00:00
Done:        0, Modified        0, Failed        0, Syntax errors        1
Last Syntax Error:WARNING : /changedomain=OLDDOM=NEWDOM=C:\mapping.txt : Error when checking arguments - C:\folder\*.*

This is now becoming critical. As some educated manager has suggested that this can be done manually quicker than a scritped solution!!!

Any help appreciated.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 31

Expert Comment

by:Henrik Johansson
ID: 22899191
Remove __cachefileonly__ from cached_sids.txt

From subinacl help:
"With the __cachefileonly__ line in the file, SubInAcl.exe will not query SAM Server(s) anymore. All needed SIDs should be found in the SAM cache file"

Author Comment

ID: 22917502
Hi henjoh09

I removed the __cachefileonly__ line in the file.

Now It reverts to looking for the OLDDOM SAM server. Error is:

1355 Could not find domain name : OLDDOM
Error finding domain name : 1355 The specified domain either does not exist or could not be contacted.

Aggggggggggggggghhhhhhhhhhhhhhhh !!!!!!!!!!!

There is a solution to this, I know there is...............

Expert Comment

ID: 23260184
Here is my fix
Create the /offlinesam=C:\source.txt
copy file to destination server
add the following lines to the end of the file
domaina=the SID for the domain
domainb=the SID for the domain
I used psgetSID to get the sid of one  domain controller in each domain

Then I created a temp folder on my destination server with all the users and groups on it
I then created another /offlinesam=Destination.txt of the temp file
I then appended the contents of the destination file to the end of the source file and ran the command as follows
Subinacl /offlinesam=C:\source.txt /subdirect C:\data\*.* /changedomain=domaina=domain

Sample file
domaina\domain users=MYSIDA
domainb\domain users=MYSIDB

Accepted Solution

dsesko earned 500 total points
ID: 23260202
Upon further testing
i also found that if you remove the  __cachefileonly__  from the top of the source file and just add the
the sid from the source domain it works as well

Hope this helps

domaina\domain users=MYSIDA

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Learn about cloud computing and its benefits for small business owners.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now