Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
• Status: Solved
• Priority: Medium
• Security: Public
• Views: 1254

# NTFS Permissions *Bulk Change*

So I'm in the process of building a new File Server.  I have used the Microsoft FSMT (File Server Migration Tool) to copy all the shares/data from the old file server to the new one in a new domain.  The new domain and old domain have trusts setup already.  I have also created all the user accounts from the old domain over to the new domain.  My question is how can I easily add the NTFS permissions for the new domain accounts to the new file server.

Example right now I have shares on the new file server giving (User1@olddomain.local) access to the files.  I need a script/program to traverse through all the sub folders/files and see that User1@olddomain.local has access to the folder/file and add User1@newdomain.local with the matching NTFS permissions.
0
1 Solution

Author Commented:
Yeah I have seen XCalcs and supercalcs and it's not quite what I'm trying to accomplish.  I need an application or script that I can do it with some logic behind it.  For example it will go folder by folder and see what permissions it has and from there try to match it with the same user in the new domain.

For example it will go through Folder1 and see that User@olddomain.local and User2@olddomain.local have read/write access to that folder.  The application/script would then know to look in AD and find a user to match it.  It would of course find User@newdomain.local and User2@newdomain.local and add those 2 users to the folder and give it read/write access.

The only other way I was thinking this would work is if the application/script allowed me the option to build a relationship database mapping the user accounts.
0

PowerShell DeveloperCommented:

Hmm... Lets see. If you were to go with PowerShell, you could potentially do something like this... Currently set to run for a single folder, if it works (I've tested it, of course :)) making it find folders to work on is very easy.

If you need it... PowerShell is here:

http://support.microsoft.com/kb/968929

Chris
$Path = "C:\Test"$OldDomain = "Old-Domain"     # NetBIOS Name
$NewDomain = "New-Domain" # NetBIOS Name # Get the current Security Descriptor$ACL = Get-ACL $Path # Get current Access and filter down to ACEs applied here (not inherited) for users # in the old domain$AccessRights = $ACL.Access | ?{$_.IsInherited -eq $False -And$_.IdentityReference.Value -Like "$OldDomain\*" } | %{ # Create the new Identity string (will be NewDomain\OriginalUsername)$Identity = $_.IdentityReference.Value -Replace$OldDomain, $NewDomain # Build a new rule based on the current rule$NewRule = New-Object Security.AccessControl.FileSystemAccessRule(
$Identity,$_.FileSystemRights,
$_.InheritanceFlags,$_.PropagationFlags,
$_.AccessControlType) # Add the new rule to the Access Control List$ACL.AddAccessRule($NewRule) # Remove the old access rule from the Access Control List$ACL.RemoveAccessRule($_) # Apply the modified Access Control List Set-ACL$Path -AclObject $ACL }  0 Systems engineerCommented: Take a look on subinacl.exe that is part of resource kit Replace a single user: subinacl.exe /subdirectories c:\path\to\folder /replace=olddomain\olduser=newdomain\newuser Replace domain: subinacl.exe /subdirectories c:\path\to\folder /changedomain=olddomain=newdomain changedomain action can be used with a mapping file if you only want to affect specific users. The trailing "=both" is used if it shall both first check for a match in the mapping file and also use the replace of having same username in old and new domain. subinacl.exe /subdirectories c:\path\to\folder /changedomain=olddomain=newdomain=mappingfile=both subinacl.exe is downloadable from MS: http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en 0 Author Commented: Chris-Dent - Your solution isn't working for me. Under$OldDomain I have "Olddomain.com" (Don't ask me why the old administrator did that.  Under \$NewDomain I have "Newdomain.local".  It does nothing when I run it like this.  When I have those values changed to not have the .com and .local I get an error "Some or all identity references could not be translated" and then when I check the file permissions it removed the permission for User@olddomain.com all together.

henjoh09 - I'm currently testing your solution now and will update you as soon as my testing is done.
0

PowerShell DeveloperCommented:

It must be the NetBIOS name (rather than olddomain.com). The Trustee, the bit we're testing, doesn't use the DNS domain name so the test will fail if you do.

Chris
0

Author Commented:
I have tried it with the NetBIOS name (olddomain) and the NetBIOS name for the new domain (newdomain) and it does nothing when I run it.
0

PowerShell DeveloperCommented:

Hmm well, to be honest I'd go with subinacl if that one works for you. I wasn't aware that option existed and tend to write my own things more quickly than look. It is, of course, easier to test / use if you write it in the first place :)

Chris
0

## Featured Post

Tackle projects and never again get stuck behind a technical roadblock.