NTFS Permissions *Bulk Change*

Posted on 2010-01-04
Last Modified: 2013-06-13
So I'm in the process of building a new File Server.  I have used the Microsoft FSMT (File Server Migration Tool) to copy all the shares/data from the old file server to the new one in a new domain.  The new domain and old domain have trusts setup already.  I have also created all the user accounts from the old domain over to the new domain.  My question is how can I easily add the NTFS permissions for the new domain accounts to the new file server.

Example right now I have shares on the new file server giving (User1@olddomain.local) access to the files.  I need a script/program to traverse through all the sub folders/files and see that User1@olddomain.local has access to the folder/file and add User1@newdomain.local with the matching NTFS permissions.
Question by:ladiesnhan
    LVL 59

    Expert Comment

    by:Darius Ghassem
    LVL 6

    Author Comment

    Yeah I have seen XCalcs and supercalcs and it's not quite what I'm trying to accomplish.  I need an application or script that I can do it with some logic behind it.  For example it will go folder by folder and see what permissions it has and from there try to match it with the same user in the new domain.

    For example it will go through Folder1 and see that User@olddomain.local and User2@olddomain.local have read/write access to that folder.  The application/script would then know to look in AD and find a user to match it.  It would of course find User@newdomain.local and User2@newdomain.local and add those 2 users to the folder and give it read/write access.

    The only other way I was thinking this would work is if the application/script allowed me the option to build a relationship database mapping the user accounts.
    LVL 70

    Expert Comment

    by:Chris Dent

    Hmm... Lets see. If you were to go with PowerShell, you could potentially do something like this... Currently set to run for a single folder, if it works (I've tested it, of course :)) making it find folders to work on is very easy.

    If you need it... PowerShell is here:

    $Path = "C:\Test"
    $OldDomain = "Old-Domain"     # NetBIOS Name
    $NewDomain = "New-Domain"     # NetBIOS Name
    # Get the current Security Descriptor
    $ACL = Get-ACL $Path
    # Get current Access and filter down to ACEs applied here (not inherited) for users
    # in the old domain
    $AccessRights = $ACL.Access | ?{ 
        $_.IsInherited -eq $False -And $_.IdentityReference.Value -Like "$OldDomain\*" } | %{
      # Create the new Identity string (will be NewDomain\OriginalUsername)  
      $Identity = $_.IdentityReference.Value -Replace $OldDomain, $NewDomain
      # Build a new rule based on the current rule
      $NewRule = New-Object Security.AccessControl.FileSystemAccessRule(
      # Add the new rule to the Access Control List
      # Remove the old access rule from the Access Control List
      # Apply the modified Access Control List
      Set-ACL $Path -AclObject $ACL

    Open in new window

    LVL 31

    Accepted Solution

    Take a look on subinacl.exe that is part of resource kit

    Replace a single user:
    subinacl.exe /subdirectories c:\path\to\folder /replace=olddomain\olduser=newdomain\newuser

    Replace domain:
    subinacl.exe /subdirectories c:\path\to\folder /changedomain=olddomain=newdomain

    changedomain action can be used with a mapping file if you only want to affect specific users. The trailing "=both" is used if it shall both first check for a match in the mapping file and also use the replace of having same username in old and new domain.

    subinacl.exe /subdirectories c:\path\to\folder /changedomain=olddomain=newdomain=mappingfile=both

    subinacl.exe is downloadable from MS:
    LVL 6

    Author Comment

    Chris-Dent - Your solution isn't working for me.  Under $OldDomain I have "" (Don't ask me why the old administrator did that.  Under $NewDomain I have "Newdomain.local".  It does nothing when I run it like this.  When I have those values changed to not have the .com and .local I get an error "Some or all identity references could not be translated" and then when I check the file permissions it removed the permission for all together.

    henjoh09 - I'm currently testing your solution now and will update you as soon as my testing is done.
    LVL 70

    Expert Comment

    by:Chris Dent

    It must be the NetBIOS name (rather than The Trustee, the bit we're testing, doesn't use the DNS domain name so the test will fail if you do.

    LVL 6

    Author Comment

    I have tried it with the NetBIOS name (olddomain) and the NetBIOS name for the new domain (newdomain) and it does nothing when I run it.
    LVL 70

    Expert Comment

    by:Chris Dent

    Hmm well, to be honest I'd go with subinacl if that one works for you. I wasn't aware that option existed and tend to write my own things more quickly than look. It is, of course, easier to test / use if you write it in the first place :)


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now