Transfer File Permission to new domain

JP42
JP42 used Ask the Experts™
on
I am looking to move equipment to a new domain. I have the new server setup (DC) and I have already been migrating workstations.
I have three file and print servers to migrate though, which means, once I migrate to the new domain all of the NTFS and share permissions will be lost.
I cannot create a trust between the two DC's.
Is there a way I can change the permissions from one domain to the new domain and automate it?

All the users in both domains are the same.

I.e.  change domain1\user1  >>  domain2\user1

Thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
This appears to be a job for ADMT.

The "Security Translation Wizard" is able to amend the ACL on existing objects in the old domain, so BOTH entries from the old domain and target domain exist in the ACL.

After you move the resources to a new domain (or move the file server to a new domain), use ADMT again in Remove mode to remove the SIDs from the old domain.

Q: Is the file server a member server?
Q: Are you using local security groups to assign permissions?
Q: Are you completely re-installing a new fileserver and moving the files, or are you removing/adding the existing server to a new domain?
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Why can't you create a trust? Is SBS involved?
Anyway, to start with, make sure the LOCAL(!) Administrators group on the current file server has Full Access to the complete structure
Then you can use robocopy to copy the files including their current NTFS permissions to the new domain.
Some hints:
- robocopy will *by* *default* only copy files that aren't in the target already.
- If you want to do several sync runs, you can use /mir to delete files in the target that aren't in the source anymore.
- You might want to set /r (retry) and /w (wait) to something more useful in a LAN, like /r:2 /w:1.
- use /copyall to copy NTFS permissions as well.
- Check robocopy.doc in the ResKit installation folder (to run it, you actually only need robocopy.exe), it's a very useful documentation.
- You can safely use /nfl (no file list) and /ndl (no directory list) to reduce the log file size; errors will still be logged.
- Use /np if you're logging to a text file, otherwise the log will be filled with control characters.
- If you're migrating to W2k8, robocopy's already included.

Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

GUI wrappers are available, too:
RoboCopy GUI 1.0.0.24
http://www.softpedia.com/get/System/OS-Enhancements/RoboCopy-GUI.shtml

Utility Spotlight Robocopy GUI
http://technet.microsoft.com/en-us/magazine/2006.11.utilityspotlight.aspx

Once you have the files on the new machine, you can use subinacl.exe (use the download linked below, NOT the v4 that's included in the ResKit) to change the permissions. You can use the ResKit help for subinacl examples.
/alternatesamserver could perhaps work (with an existing \\olddc\ipc$ connection with an administrative user); otherwise check whether /offlinesam helps you any.
For starters, I'd copy only a single folder tree without files over (use /XF *.* in the command line). Then start testing with subinacl on that structure.
Once you have the necessary subinacl commands at hand, I'd do the following (assuming you don't have to care about file permissions, only folder):
1. Copy the complete folder tree with permissions (/COPY:DATS), but without files (/XF *.*)
2. Make it known that from this moment on, and until the file server migration is complete, there will be no more changes to the permissions.
3. Change the permissions in the folder structure (which should be comparatively fast)
4. Copy the files into the folder structure WITHOUT permissions.
5. Repeat step 4 daily with /MIR until you're ready to go online with the new server.

SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

Helpful tool to analyze permissions: DumpSec
http://www.systemtools.com/somarsoft/index.html


Rant32,
the ADMT requires a trust between the domains.

Author

Commented:
Ok so let me clarify a bit...

I cannot create a trust because of political reasones between the company we are splitting off of.
The file server is just moving to the new domain, so I will not need to copy files to another file server.

I like your idea about using SUBINACL, just not sure how the procedure would go.
NOTE: Both domains are on the same subnet and I have established local admin accounts to all devices.
Do i migrate the file server to the new domain first and then use SUBINACL with the /offlinesam option?
How do I accquire the offlinesame file? What format?

I would hate to migrate the server first, lose my permissions and then find that I can't get SUBINACL to work. Suggestions?

Thanks for dumpsec, I like that.
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
You wouldn't need a full two-way trust to make the migration a lot easier. A one-way trust would be enough, where the side with the PTB is the trusted (account) domain, and the other the resource domain. In a W2k3 AD, that could even be combined with selective authentication.
Moving the file server is of course riskier, but it works the same way: copy an empty test folder structure with permissions to a machine in the new domain (or to an NTFS formatted USB drive that you then attach on a machine in the new domain, whatever).
Test subinacl.
Once you've got it working, to avoid surprises, copy the complete (empty) folder structure on a server in the new domain, and try whether subinacl runs over the complete structure without issues (note that even if you don't copy the files, the MFT can grow to several GB depending on the number of folders!).
Once you're sure subinacl can handle the structure, change the domain membership of the server and run your subinacl commands.
The "offline sam" is a text file, enter
subinacl /help /offlinesam
(or accordingly "subinacl /help /<AnyArgument>") for a description.
Do I need to mention backup?

Author

Commented:
Could you provide an example of subinacl to convert the permissions from one domain to another?

I am converting a file and print server so permissions will need to be changed for shares, file security, printers, and services.

THanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial