NTFS Permissions - Brand New Domain, New Servers, Same Users and Groups


We are currently in the process of rebuilding our infrastructure from 2003 SBS to Server 2012 R2.  One of the tasks I am faced with is the migration of the file server.  I am currently testing this out before we go live.  I was able to recreate all users and groups in the on the test environment running 2012.  I am looking for a way to copy the NTFS permissions or set the permissions as they were in the previous environment.  I am building the new domain with the same namespace as the existing domain and using the same server names.  I use acronis for backup and with the option to restore NTFS permissions, I get the correct rights set, however, the entries are for SIDs of the users in the old domain.  I am able to restore the data successfully, however, I need the ability to back up and restore the NTFS permissions to the new domain.  Any utility which will allow me to set the permissions via username instead of SID?

Any assistance with this would be very much appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
I am building the new domain with the same namespace as the existing domain and using the same server names What you are seeing is display names and windows doesn't use these at all. When you create a new ANYTHING it will get a new SID and windows uses SID's to prevent someone from impersonating your network.  What you need to do is start over.

1) install the new server with a temporary name
2) join it to the domain
3) now you have the users and the SID's
4) copy over the older files using robocopy source dest /SEC /E /ZB
5) add hyper-v role and create a new temporary DC
7) create your shares to match the older system.
8) unplug this server or put it in a separate network that can't see the original server
9) on the hyper-V DC do the same so it can't see the original DC
10) seize the FSMO Roles on the HV DC
11) change the name of the host server
12) on the HV DC remdom the domain
13) reboot both
14) change the host pc name
15) promote it to a DC
16) Seize the roles
17) remove the DC role from the HV machine
18) stop and delete the HV machine
19) remove the HV role

At each stage you will have to check the replication status and wait for it to complete.
you can now test the new machine
NVITEnd-user supportCommented:
Try this...

On a test folder the source server.
Save permissions of d:\Test directory and all its subdirectories to a file named Permissions:
icacls d:\test\* /save permissions.txt /t /c

Open in new window

On a test folder (with same folders & files) at the target server.
Restore saved permissions of d:\Test directory and all its subdirectories.:
icacls d:\ /restore permissions.txt

Open in new window

Review the target result. If you are satisfied, do a real folder. Or, if you're adventurous...the whole drive.

Try Below

For Share permissions, you need to backup share permissions on source server and restore it on target server.

For NTFS permissions, use Subinacl utility
You can backup ntfs permissions from source server with Subinacl and then restore it on target server with Subinacl.

Prerequisites / Assumptions:
Your source and target domain name is same
U already have created users and groups in target domain same as source
You already have created directory structure on target file server same as source

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

3GKIDAuthor Commented:

David, wow, that's quite a bit.  Would this work with exchange 2013?  We are also looking to go to 2013 from 2003.  I know the two can't exist in the same forest.

For I have checked icacls and setacl which allow you to save the permissions into a file and allows restoration.  The only issue that I have is that the users or groups are SIDs as opposed to usernames.

Is there a bulk find and replace utility?  I can generate a table of SIDs from both the new domain and old domain.



This way, I can find and replace any instance of the SID from the save file using the left hand side value and replacing it with the right hand value.  Then, after doing the find and replace to the save file, I can then use it to apply the permissions.

How many users and computers you have in source domain?
NVITEnd-user supportCommented:
> I am looking for a way to copy the NTFS permissions or set the permissions as they were in the previous environment..

You can also use robocopy to do this. See the text "...the second Robocopy command will refresh file security for all files, without copying any file data"

3GKIDAuthor Commented:
Mahesh, I have around 80 users in the source domain.  I was able to recreate the users, groups and group memberships in the new domain.  User home folders are not an issue.  It's the department folders that will be a bit problematic.  In addition to each department having access to their own folder, additional folders within the department folders have further permissions to allow or deny certain users access.

NVIT, with robocopy, wouldn't you need both the source and destination folders to be in the same domain or at least accessible to the machine running robocopy?
NVITEnd-user supportCommented:
> with robocopy, wouldn't you need both the source and destination folders to be in the same domain or at least accessible to the machine running robocopy?

3GKIDAuthor Commented:
Will robocopy translate the security information since the users are in separate domains with separate SIDs?
If you have created users in target domain, I think you can use subinacl to just replay your security based on samaccountname

robocopy will not work beyond domain
3GKIDAuthor Commented:
Hi Mahesh,

Actually the Subinacl document is one that I have printed and gone through.  If it would allow a mapping file for SIDs, like


I would be able to use acronis and recover the NTFS permissions, then use the subinacl command to replace the SIDs of users and groups from the old domain with those in the new domain.
3GKIDAuthor Commented:
I think you can use subinacl to just replay your security based on samaccountname

How would you go about doing this?
I understood that NTFS understands SID, however you can try backing up small folder with Subinacl in source and try to restore it on target sever
Please check the link in my 1st comment to use Subincl

Its difficult to map sid between old and new domain, there is one option you can try
Download free copy of Bulk AD users from wisesoft
Export all users in source domain including SID (You can add SID as custom attribute there which can be exported
Also export all users from target domain including SID and then do SID pairing to restore permissions with Subinacl.
3GKIDAuthor Commented:
Hi Mahesh,

It looks like subinacl will do exactly what I need.  I tried it on one of the department folders and it looks like it worked successfully.  I am going to restore my entire directory tree and see what happens.  I will keep you updated.

3GKIDAuthor Commented:
Hi Mahesh,

Subinacl worked perfectly.  I updated to the latest version of it and was able to back up and restore the permissions successfully to the new environment.  It worked with my entire departments directory structure.  The nice thing is that the file produced is in human readable format so the users can be modified.  I had to do SID cleanup with the setacl command.  For some reason, I was not able to with subinacl.

This has definitely put me quite a few steps in the right direction with my upgrade

Thank you so much!!!!
Good to hear that

Please clarify one thing:
Have you modified any thing in Subinacl output before restoring?

Because if I recollect, Subinacl store usernames instaed of SID in output which can be restored as long as username is present.
3GKIDAuthor Commented:
Hi Mahesh,

The only thing I did, was do a find and replace for a couple of usernames that I needed to change in the new domain.  It was extremely simple since the output was usernames instead of SIDs.  The other tools that I looked at exported SIDs instead.  This did the job perfectly!

Thanks again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.