Robocopy - Security Permissions Issue

I used robocopy to transfer files from an old webserver to the new webserver.  I made sure to have all of the user accounts created on the new server before moving the data.  I used the /COPYALL /SEC /E switches with the command.  Some of the permissions have copied over, but for other folders, it's set them as Account Unknown, even though the user account has been created.  Is there another switch I should be using at the end?  Also, how do I remove all of the Account Unknown's now?

I need to go live by Friday, with tomorrow for final testing, so any help today would be much appreciated!

Thanks,
Bridget
bridgetimillerAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
As I said: "The only permissions that you now see with resolved names are accounts with 'Well-known SIDs', that is, accounts that have the same SID on all NT based machines" (see http://support.microsoft.com/kb/243330).
The only way to clone the SID would be with another Sysinternals tool, NewSID (http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx); but I would only do that immediately after the initial OS install, not on a system that's already configured. But even then you wouldn't be able to recreate the same groups, because you'd have to create the exact same accounts in the exact same order as you've did on the original machine.
Depending on how many groups and folders you have, and the complexity of the permissions, it could indeed be easier to just recreate the permissions manually.
0
 
oBdACommented:
robocopy worked just fine. The problem is that you did *NOT* recreate the user accounts. User accounts have a SID based on the machine they were created on, and different machines have different SIDs. It doesn't matter whether the accounts have the same name, the SIDs are different. The only permissions that you now see with resolved names are accounts with "Well-known SIDs", that is, accounts that have the same SID on all NT based machines (like Administrators or System).
You should be able to replace the permissions on the new server with the new accounts using subinacl; install the Resource Kit Tools (if you haven't done so yet) for the subinacl help, then install the subinacl download (the version that's included in the ResKit is buggy!).

Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

Download details: SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?familyid=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b
0
 
bridgetimillerAuthor Commented:
Thanks - I figured it was something like that.  So, what commands do I use to switch the SID?  I see the findsid command to find out what it is, but how do I change it?
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

 
oBdACommented:
You will probably need the /subdirectories object type, the /changedomain action, and the /offlinesam option because you're working with local accounts.
You can retrieve the SIDs from the old machine using PsGetSid from http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx to create the offline sam file.
Enter
subinacl /help /subdirectories
subinacl /help /changedomain
subinacl /help /offlinesam
for details, and/or use the ResKit help as well.
You might want to start with a test copy in a temporary folder; note robocopy's /create option, which will only create empty files and the folders, so it won't use any serious space, and it can be recopied quickly if something gets messed up.
0
 
bridgetimillerAuthor Commented:
Quick Question - How come some of the permissions came over from the old server to the new server and some didn't?  Also, is there a way I could just manually recreate the Accounts to get them to match?  Or somewhere I can just edit the SID?  The above method is a little intimidating to me.
0
 
bridgetimillerAuthor Commented:
Eh, I think I'll just go into the folders and manually modify the permissions - remove the account unknowns and just add in the ones that should be there.
0
 
bridgetimillerAuthor Commented:
Yep, started doing the manual thing. Should only take me an hour or so I hope :)  Thanks for your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.