Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1254
  • Last Modified:

NTFS Permissions *Bulk Change*

So I'm in the process of building a new File Server.  I have used the Microsoft FSMT (File Server Migration Tool) to copy all the shares/data from the old file server to the new one in a new domain.  The new domain and old domain have trusts setup already.  I have also created all the user accounts from the old domain over to the new domain.  My question is how can I easily add the NTFS permissions for the new domain accounts to the new file server.

Example right now I have shares on the new file server giving (User1@olddomain.local) access to the files.  I need a script/program to traverse through all the sub folders/files and see that User1@olddomain.local has access to the folder/file and add User1@newdomain.local with the matching NTFS permissions.
1 Solution
ladiesnhanAuthor Commented:
Yeah I have seen XCalcs and supercalcs and it's not quite what I'm trying to accomplish.  I need an application or script that I can do it with some logic behind it.  For example it will go folder by folder and see what permissions it has and from there try to match it with the same user in the new domain.

For example it will go through Folder1 and see that User@olddomain.local and User2@olddomain.local have read/write access to that folder.  The application/script would then know to look in AD and find a user to match it.  It would of course find User@newdomain.local and User2@newdomain.local and add those 2 users to the folder and give it read/write access.

The only other way I was thinking this would work is if the application/script allowed me the option to build a relationship database mapping the user accounts.
Chris DentPowerShell DeveloperCommented:

Hmm... Lets see. If you were to go with PowerShell, you could potentially do something like this... Currently set to run for a single folder, if it works (I've tested it, of course :)) making it find folders to work on is very easy.

If you need it... PowerShell is here:


$Path = "C:\Test"
$OldDomain = "Old-Domain"     # NetBIOS Name
$NewDomain = "New-Domain"     # NetBIOS Name

# Get the current Security Descriptor

$ACL = Get-ACL $Path

# Get current Access and filter down to ACEs applied here (not inherited) for users
# in the old domain
$AccessRights = $ACL.Access | ?{ 
    $_.IsInherited -eq $False -And $_.IdentityReference.Value -Like "$OldDomain\*" } | %{

  # Create the new Identity string (will be NewDomain\OriginalUsername)  
  $Identity = $_.IdentityReference.Value -Replace $OldDomain, $NewDomain

  # Build a new rule based on the current rule
  $NewRule = New-Object Security.AccessControl.FileSystemAccessRule(

  # Add the new rule to the Access Control List

  # Remove the old access rule from the Access Control List

  # Apply the modified Access Control List
  Set-ACL $Path -AclObject $ACL

Open in new window

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Henrik JohanssonSystems engineerCommented:
Take a look on subinacl.exe that is part of resource kit

Replace a single user:
subinacl.exe /subdirectories c:\path\to\folder /replace=olddomain\olduser=newdomain\newuser

Replace domain:
subinacl.exe /subdirectories c:\path\to\folder /changedomain=olddomain=newdomain

changedomain action can be used with a mapping file if you only want to affect specific users. The trailing "=both" is used if it shall both first check for a match in the mapping file and also use the replace of having same username in old and new domain.

subinacl.exe /subdirectories c:\path\to\folder /changedomain=olddomain=newdomain=mappingfile=both

subinacl.exe is downloadable from MS:
ladiesnhanAuthor Commented:
Chris-Dent - Your solution isn't working for me.  Under $OldDomain I have "Olddomain.com" (Don't ask me why the old administrator did that.  Under $NewDomain I have "Newdomain.local".  It does nothing when I run it like this.  When I have those values changed to not have the .com and .local I get an error "Some or all identity references could not be translated" and then when I check the file permissions it removed the permission for User@olddomain.com all together.

henjoh09 - I'm currently testing your solution now and will update you as soon as my testing is done.
Chris DentPowerShell DeveloperCommented:

It must be the NetBIOS name (rather than olddomain.com). The Trustee, the bit we're testing, doesn't use the DNS domain name so the test will fail if you do.

ladiesnhanAuthor Commented:
I have tried it with the NetBIOS name (olddomain) and the NetBIOS name for the new domain (newdomain) and it does nothing when I run it.
Chris DentPowerShell DeveloperCommented:

Hmm well, to be honest I'd go with subinacl if that one works for you. I wasn't aware that option existed and tend to write my own things more quickly than look. It is, of course, easier to test / use if you write it in the first place :)


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now