We help IT Professionals succeed at work.

Need help migrating between servers while changing some of the permissions

We are migrating some data and would like to change some of the groups, while preserving the rest of the permissions. What is the best approach to do that? At the moment I am thinking something along the lines of

set the permissions manually at the top level - easy

use robocopy to copy only the contents without affecting the  level folder - basically run it at "\\server\folder\subfolder" level - not ideal as I'd have to copy any files at  "\\server\folder\" level separately, and sometimes there are loads for subfolders, so plenty of robocopy instances.

run some sort of a script to get a list of subfolders where due to blocked inheritance the old group still exists and has been copied across by robocopy. maybe some get-acl/set-acl script that finds a group, removes it and adds a separate group in its place.

finally run some script to get a list of files that have manually - not likely but if it is possible, so someone would have done it.


There is a lot of data, so I am trying to use inheritance to do most of the work, and then just mop up the instances of blocked inherritance, rather than run some script against every single file.
Comment
Watch Question

Pete LongTechnical Consultant
Distinguished Expert 2019

Commented:
Set permissions at the folder level on the DESTINATION, then copy the files WITHOUT their ACLs

</P>

Author

Commented:
Hi Pete,

Thanks for you r fast response. I would still have to find a way to set permissions  for sub folders further down in the file structure that have permissions set manually. How would I do that?

I suppose if I could find a way to identify the folders with custom permissions (any non-inherited anywhere in the file structure), and then copy just those with ACLs,ly. How wouldo that? Perhaps some powershell script to get all folders that have one or more non-inherited permissions, copy those, and then amend the permissions somehow. How can I do that?

Thanks!
End-user support
Commented:
Here's a way using icalcs.
- Make a .cmd file of this code.
- Open a cmd window in the folder to affect and run it.
- To confirm it works, run it on a test folder and sub-folders before a production folder.

@echo off
setlocal enabledelayedexpansion

REM Create the existing icacls data file.
REM After that, edit the data file, changing the group names to your needs.
REM Then, to create the icacls command (cmd) file, disable the next 2 lines.
REM icacls "C:\local\test\EE\*." /t>icacls_data2.txt
REM exit /b

set FNIcacls=.\icacls_cmd.cmd

for /f "tokens=* delims=" %%a in ('type "icacls_data2.txt"') do (
  set line=%%a
  set char=!line:~0,1!
  if "!char!" neq " " (
      for /f "tokens=1*" %%D in ('echo !line!') do (
        set dir=%%D
        set line=%%E
      )
  ) else (
    for /f "tokens=* delims= " %%G in ("!line!") do set line=%%G
  )
  if "!senttopcmds!" equ "" (
    REM Break inheritance and delete existing ACEs
    echo icacls "!dir!" /inheritance:r /t>!FNIcacls!
    set senttopcmds=1
  )
  REM Grant Permissions
  echo icacls "!dir!" /grant "!line!" /t>>!FNIcacls!
)

Open in new window


In the icacls_cmd.cmd file, you may need to manually revise the first line, removing the trailing folder name. Otherwise, the inheritance is reset only for that folder.
In my example, my root folder is C:\local\test\EE. But icacls_cmd.cmd shows C:\local\test\EE\1
icacls "C:\local\test\EE\1" /inheritance:r /t

Open in new window


So, I change it to:
icacls "C:\local\test\EE" /inheritance:r /t

Open in new window


Here's my example icacls_cmd.cmd file before fixing the first line and revising my domain group assignments:
icacls "C:\local\test\EE\1" /inheritance:r /t
icacls "C:\local\test\EE\1" /grant "BUILTIN\Administrators:(I)(F)" /t
icacls "C:\local\test\EE\1" /grant "BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)" /t
icacls "C:\local\test\EE\1" /grant "NT AUTHORITY\SYSTEM:(I)(F)" /t
icacls "C:\local\test\EE\1" /grant "NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)" /t
icacls "C:\local\test\EE\1" /grant "BUILTIN\Users:(I)(OI)(CI)(RX)" /t
icacls "C:\local\test\EE\1" /grant "domain\oldgroup:(OI)(CI)(F)" /t
icacls "C:\local\test\EE\1" /grant "NT AUTHORITY\Authenticated Users:(I)(M)" /t
icacls "C:\local\test\EE\1" /grant "NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)" /t
icacls "C:\local\test\EE\AddFilesOnly" /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(F)" /t
icacls "C:\local\test\EE\AddFilesOnly" /grant "domain\oldgroup:(OI)(CI)(F)" /t
icacls "C:\local\test\EE\AddFilesOnly" /grant "BUILTIN\Administrators:(OI)(CI)(F)" /t

Open in new window


Here's my example icacls_cmd.cmd file after fixing the first line and revising my domain group assignments:
icacls "C:\local\test\EE" /inheritance:r /t
icacls "C:\local\test\EE\1" /grant "BUILTIN\Administrators:(I)(F)" /t
icacls "C:\local\test\EE\1" /grant "BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)" /t
icacls "C:\local\test\EE\1" /grant "NT AUTHORITY\SYSTEM:(I)(F)" /t
icacls "C:\local\test\EE\1" /grant "NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)" /t
icacls "C:\local\test\EE\1" /grant "BUILTIN\Users:(I)(OI)(CI)(RX)" /t
icacls "C:\local\test\EE\1" /grant "domain\newgroup:(OI)(CI)(F)" /t
icacls "C:\local\test\EE\1" /grant "NT AUTHORITY\Authenticated Users:(I)(M)" /t
icacls "C:\local\test\EE\1" /grant "NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)" /t
icacls "C:\local\test\EE\AddFilesOnly" /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(F)" /t
icacls "C:\local\test\EE\AddFilesOnly" /grant "domain\newgroup:(OI)(CI)(F)" /t
icacls "C:\local\test\EE\AddFilesOnly" /grant "BUILTIN\Administrators:(OI)(CI)(F)" /t

Open in new window


icacls_cmd.cmd is now ready to run.

Author

Commented:
Very helpful. Thank you!
NVITEnd-user support

Commented:
You're welcome. I'm glad it worked out for you. Have a good one. Don't work too hard!