Robocopy - Security Permissions Issue

I used robocopy to transfer files from an old webserver to the new webserver.  I made sure to have all of the user accounts created on the new server before moving the data.  I used the /COPYALL /SEC /E switches with the command.  Some of the permissions have copied over, but for other folders, it's set them as Account Unknown, even though the user account has been created.  Is there another switch I should be using at the end?  Also, how do I remove all of the Account Unknown's now?

I need to go live by Friday, with tomorrow for final testing, so any help today would be much appreciated!

Thanks,
Bridget
bridgetimillerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
robocopy worked just fine. The problem is that you did *NOT* recreate the user accounts. User accounts have a SID based on the machine they were created on, and different machines have different SIDs. It doesn't matter whether the accounts have the same name, the SIDs are different. The only permissions that you now see with resolved names are accounts with "Well-known SIDs", that is, accounts that have the same SID on all NT based machines (like Administrators or System).
You should be able to replace the permissions on the new server with the new accounts using subinacl; install the Resource Kit Tools (if you haven't done so yet) for the subinacl help, then install the subinacl download (the version that's included in the ResKit is buggy!).

Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

Download details: SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?familyid=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b
0
bridgetimillerAuthor Commented:
Thanks - I figured it was something like that.  So, what commands do I use to switch the SID?  I see the findsid command to find out what it is, but how do I change it?
0
oBdACommented:
You will probably need the /subdirectories object type, the /changedomain action, and the /offlinesam option because you're working with local accounts.
You can retrieve the SIDs from the old machine using PsGetSid from http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx to create the offline sam file.
Enter
subinacl /help /subdirectories
subinacl /help /changedomain
subinacl /help /offlinesam
for details, and/or use the ResKit help as well.
You might want to start with a test copy in a temporary folder; note robocopy's /create option, which will only create empty files and the folders, so it won't use any serious space, and it can be recopied quickly if something gets messed up.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

bridgetimillerAuthor Commented:
Quick Question - How come some of the permissions came over from the old server to the new server and some didn't?  Also, is there a way I could just manually recreate the Accounts to get them to match?  Or somewhere I can just edit the SID?  The above method is a little intimidating to me.
0
bridgetimillerAuthor Commented:
Eh, I think I'll just go into the folders and manually modify the permissions - remove the account unknowns and just add in the ones that should be there.
0
oBdACommented:
As I said: "The only permissions that you now see with resolved names are accounts with 'Well-known SIDs', that is, accounts that have the same SID on all NT based machines" (see http://support.microsoft.com/kb/243330).
The only way to clone the SID would be with another Sysinternals tool, NewSID (http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx); but I would only do that immediately after the initial OS install, not on a system that's already configured. But even then you wouldn't be able to recreate the same groups, because you'd have to create the exact same accounts in the exact same order as you've did on the original machine.
Depending on how many groups and folders you have, and the complexity of the permissions, it could indeed be easier to just recreate the permissions manually.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bridgetimillerAuthor Commented:
Yep, started doing the manual thing. Should only take me an hour or so I hope :)  Thanks for your help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.