How to Migrate File / Folder permissions between different domains

We performing a migration from SBS2008 to Server2012 for a customer and they require a domain name change.
We would like to move the contents of the data folder and mirror the folder permissions to the same users and groups in the new domain.
We have examined "setacl" but this only seems to work where an inter-domain trust relationship can be established, this does not seem possible with SBS.
"icacls" only seems to export the actual SIDs and these do not translate to the same groups/users in the same domain.
SubInACL is only for 2003 apparently
Is this possible through a powershell script perhaps, can we export the existing permissions to csv and perhaps replace the old domainname with the new domainname and then import again?
Does anyone have a script they would like to share?
Who is Participating?
KCITSAuthor Commented:
Thanks, but as we were not able to connect both domain controllers at the same time, we followed the process below to export permissions for all folders with 'non-inheritable' rights to a csv in PowerShell and then after copying the data to the new server over write the  folder permissions with a second script: Thanks to Kelvin Barret 


 Get-ChildItem "E:\" -Recurse | ?{ $_.PsIsContainer } | %{
  $Path = $_.FullName
  # Exclude inherited rights from the report
  (Get-Acl $Path).Access | ?{ !$_.IsInherited } | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights
} | Export-CSV "c:\drivers\Permissions.csv"



$par = Import-Csv -Path "c:\Drivers\Permissions.csv"

foreach ( $i in $par )
 $path= $i.Path
 $IdentityReference= $i.IdentityReference
        $InheritanceFlags= $i.InheritanceFlags
        echo $path $IdentityReference
        $acl = Get-Acl $path
        $permission = $IdentityReference, $FileSystemRights, $InheritanceFlags,
        $PropagationFlags, $AccessControlType
        $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
        #$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule     ($IdentityReference, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType)
        $acl | Set-Acl $path

This worked successfully though the inheritable 'Allow' permissions were required to be removed prior to the permission overwrite, and this did not reset the inheritable tag, each folder that was not to inherit permissions was required to have this status changed manually.
Have you considered...
The Microsoft File Server Migration Toolkit, which migrates folders between servers
KCITSAuthor Commented:
We need to migrate from 2008 to 2012 not from 2003, also there will be a domain-name change during the transition. Server names are dissimilar also.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The correct FSMT instructions are posted here: As I read it, the destination server needs to have access to the source domain, and that should be available - you can trust a SBS domain, but not include a trust in SBS (AFAIK).
KCITSAuthor Commented:
Thanks for the update, KCIT
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.