How to Migrate File / Folder permissions between different domains

We performing a migration from SBS2008 to Server2012 for a customer and they require a domain name change.
We would like to move the contents of the data folder and mirror the folder permissions to the same users and groups in the new domain.
We have examined "setacl" but this only seems to work where an inter-domain trust relationship can be established, this does not seem possible with SBS.
"icacls" only seems to export the actual SIDs and these do not translate to the same groups/users in the same domain.
SubInACL is only for 2003 apparently
Is this possible through a powershell script perhaps, can we export the existing permissions to csv and perhaps replace the old domainname with the new domainname and then import again?
Does anyone have a script they would like to share?
LVL 1
KCITSAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NVITEnd-user supportCommented:
Have you considered...
The Microsoft File Server Migration Toolkit, which migrates folders between servers
http://blogs.technet.com/b/canitpro/archive/2014/11/06/step-by-step-migrating-a-2003-file-server-with-microsoft-file-server-migration-toolkit.aspx
0
KCITSAuthor Commented:
We need to migrate from 2008 to 2012 not from 2003, also there will be a domain-name change during the transition. Server names are dissimilar also.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
The correct FSMT instructions are posted here: https://technet.microsoft.com/de-de/library/jj863566.aspx. As I read it, the destination server needs to have access to the source domain, and that should be available - you can trust a SBS domain, but not include a trust in SBS (AFAIK).
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

KCITSAuthor Commented:
Thanks, but as we were not able to connect both domain controllers at the same time, we followed the process below to export permissions for all folders with 'non-inheritable' rights to a csv in PowerShell and then after copying the data to the new server over write the  folder permissions with a second script: Thanks to Kelvin Barret http://rk13log.blogspot.com.au/2014/02/export-and-import-ntfs-permission-with.html 

ExportPermissions.ps1

 Get-ChildItem "E:\" -Recurse | ?{ $_.PsIsContainer } | %{
  $Path = $_.FullName
  # Exclude inherited rights from the report
  (Get-Acl $Path).Access | ?{ !$_.IsInherited } | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights
} | Export-CSV "c:\drivers\Permissions.csv"

---------------------------------------------------------------------------------

importpermissions.ps1

$par = Import-Csv -Path "c:\Drivers\Permissions.csv"

foreach ( $i in $par )
 {
 $path= $i.Path
 $IdentityReference= $i.IdentityReference
        $AccessControlType=$i.AccessControlType
        $InheritanceFlags= $i.InheritanceFlags
        $PropagationFlags=$i.PropagationFlags
        $FileSystemRights=$i.FileSystemRights
        echo $path $IdentityReference
        $acl = Get-Acl $path
        $permission = $IdentityReference, $FileSystemRights, $InheritanceFlags,
        $PropagationFlags, $AccessControlType
        $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
        $acl.SetAccessRule($accessRule)
        #$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule     ($IdentityReference, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType)
        #$objACL.AddAccessRule($objACE)
        $acl | Set-Acl $path
        }

This worked successfully though the inheritable 'Allow' permissions were required to be removed prior to the permission overwrite, and this did not reset the inheritable tag, each folder that was not to inherit permissions was required to have this status changed manually.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KCITSAuthor Commented:
-
0
NVITEnd-user supportCommented:
Thanks for the update, KCIT
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.