Ryfujk

Why is commutativity optional in multiplication for rings?

Can chords be played on the flute?

Why do neural networks need so many training examples to perform?

Skis versus snow shoes - when to choose which for travelling the backcountry?

Criticizing long fiction. How is it different from short?

How would an AI self awareness kill switch work?

Eww, those bytes are gross

Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?

What do the pedals on grand pianos do?

If I delete my router's history can my ISP still provide it to my parents?

g++ and clang++ different behaviour with recursive initialization of a static member

How can I mix up weapons for large groups of similar monsters/characters?

What is the purpose of easy combat scenarios that don't need resource expenditure?

I am on the US no-fly list. What can I do in order to be allowed on flights which go through US airspace?

Understanding CSS letter-spacing: is it valid to replace the default value of normal with 0?

what is the difference between throw e and throw new Exception(e)

How to approximate rolls for potions of healing using only d6's?

Finding the number of integers that are a square and a cube at the same time

What to do when being responsible for data protection in your lab, yet advice is ignored?

What's the purpose of these copper coils with resitors inside them in A Yamaha RX-V396RDS amplifier?

Charged enclosed by the sphere

What prevents the construction of a CPU with all necessary memory represented in registers?

Do my Windows system binaries contain sensitive information?

Finding the value of P(x)

Windows File Server Migration - Without Trust

Windows 2003 Permissions ProblemList existing file server permission groups/usersWhat is the most efficent way to grant a user ready-only permisson to all folders and files on a file server?Moving Windows Users Home directorysReplace User within Active Directory File Server ShareServer 2008 R2 > 2012 MigrationWill Windows Server 2012 support a nested conditional forwarder?Why can't I see the file version of files in system32 remotely?Domain & file server migrationFile server for two windows domain

1

We are about to migrate our file server (Windows Server 2012) from its current domain to a new domain.

Due to issues outside my control, there will be no domain trusts or even DNS forwarders from the new domain back to the old domain. So, I need a way to replace the ACLs with the groups and user names from the new domain. Group names will be the same, but username structure has changed, so there will be a mapping file involved.

I found SetACL while I was searching, but I can't tell from my initial reading if it needs to have access to both domains. If it needs that, then I'm out of luck. I'm really hoping to avoid manually rebuilding permissions on our entire file server, so hopefully somebody has a good solution.

windows-server-2012 network-share file-permissions

share|improve this question

edited 2 days ago

scetoaux

1,03211025

asked Mar 1 at 7:37

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So practically you need a way to mass-apply new permissions ?
  
  – Overmind
  Mar 1 at 7:59
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  helgeklein.com/blog/2012/07/…
  
  – joeqwerty
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Overmind yes, we need to mass-apply new permissions.
  
  – Dave
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @joeqwerty that is one I found. I can't tell though from reading if that tool needs access to the old domain and the new domain. I'm worried that once we take the server out of the old domain, it won't be able to match everything up since the mapping file would be usernames not SID.
  
  – Dave
  2 days ago
  

  
  
  
  

add a comment | 

1

We are about to migrate our file server (Windows Server 2012) from its current domain to a new domain.

Due to issues outside my control, there will be no domain trusts or even DNS forwarders from the new domain back to the old domain. So, I need a way to replace the ACLs with the groups and user names from the new domain. Group names will be the same, but username structure has changed, so there will be a mapping file involved.

I found SetACL while I was searching, but I can't tell from my initial reading if it needs to have access to both domains. If it needs that, then I'm out of luck. I'm really hoping to avoid manually rebuilding permissions on our entire file server, so hopefully somebody has a good solution.

windows-server-2012 network-share file-permissions

share|improve this question

edited 2 days ago

scetoaux

1,03211025

asked Mar 1 at 7:37

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So practically you need a way to mass-apply new permissions ?
  
  – Overmind
  Mar 1 at 7:59
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  helgeklein.com/blog/2012/07/…
  
  – joeqwerty
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Overmind yes, we need to mass-apply new permissions.
  
  – Dave
  2 days ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @joeqwerty that is one I found. I can't tell though from reading if that tool needs access to the old domain and the new domain. I'm worried that once we take the server out of the old domain, it won't be able to match everything up since the mapping file would be usernames not SID.
  
  – Dave
  2 days ago
  

  
  
  
  

add a comment | 

We are about to migrate our file server (Windows Server 2012) from its current domain to a new domain.

Due to issues outside my control, there will be no domain trusts or even DNS forwarders from the new domain back to the old domain. So, I need a way to replace the ACLs with the groups and user names from the new domain. Group names will be the same, but username structure has changed, so there will be a mapping file involved.

I found SetACL while I was searching, but I can't tell from my initial reading if it needs to have access to both domains. If it needs that, then I'm out of luck. I'm really hoping to avoid manually rebuilding permissions on our entire file server, so hopefully somebody has a good solution.

windows-server-2012 network-share file-permissions

share|improve this question

edited 2 days ago

scetoaux

1,03211025

asked Mar 1 at 7:37

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 2 days ago

scetoaux

1,03211025

asked Mar 1 at 7:37

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 2 days ago

scetoaux

1,03211025

asked Mar 1 at 7:37

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 2 days ago

scetoaux

1,03211025

edited 2 days ago

scetoaux

1,03211025

asked Mar 1 at 7:37

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked Mar 1 at 7:37

DaveDave

61

2 Answers
2

active

oldest

votes

0

I ended up trying everything I could think of and never got SetACL to work. By using a mapping file with the old SIDs mapped to the accounts in the new domain I was able to get it to run through with no errors. It actually said it was applying the ACLs. But it never actually changed any permissions. Had the same results when doing it manually one at a time. I'm assuming this is because it can't reach out to the old domain, so it just skips along to the next one. In the end, I went back to the old domain and used a PS script to export the current permissions. Then did a quick edit to that CSV to change the accounts listed to the new ones, then went back to the new domain and ran a different PS script to import and apply the permissions.

Scrips I used came from here. And since I was moving the data instead of copying it over, I didn't have the issue in the linked solution regarding inherited permissions. Came out flawless.

share|improve this answer

answered yesterday

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

You can use icacls to export and import your permissions, while also replacing any group/user.

Example: icacls D:Main /save Main_Perms.cfg /t /c

If needed, the saved file can be altered and adapted to new user names. Replacing a specific user name group is just a mass-rename in the file of the NTFS S-ID.

Then you can import them back: icacls D: /restore Main_Perms.cfg /t /c

Note: when restoring permissions from the file, you should specify the path to the parent directory instead.

share|improve this answer

answered 6 hours ago

OvermindOvermind

936512

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Dave is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956281%2fwindows-file-server-migration-without-trust%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

I ended up trying everything I could think of and never got SetACL to work. By using a mapping file with the old SIDs mapped to the accounts in the new domain I was able to get it to run through with no errors. It actually said it was applying the ACLs. But it never actually changed any permissions. Had the same results when doing it manually one at a time. I'm assuming this is because it can't reach out to the old domain, so it just skips along to the next one. In the end, I went back to the old domain and used a PS script to export the current permissions. Then did a quick edit to that CSV to change the accounts listed to the new ones, then went back to the new domain and ran a different PS script to import and apply the permissions.

Scrips I used came from here. And since I was moving the data instead of copying it over, I didn't have the issue in the linked solution regarding inherited permissions. Came out flawless.

share|improve this answer

answered yesterday

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

I ended up trying everything I could think of and never got SetACL to work. By using a mapping file with the old SIDs mapped to the accounts in the new domain I was able to get it to run through with no errors. It actually said it was applying the ACLs. But it never actually changed any permissions. Had the same results when doing it manually one at a time. I'm assuming this is because it can't reach out to the old domain, so it just skips along to the next one. In the end, I went back to the old domain and used a PS script to export the current permissions. Then did a quick edit to that CSV to change the accounts listed to the new ones, then went back to the new domain and ran a different PS script to import and apply the permissions.

Scrips I used came from here. And since I was moving the data instead of copying it over, I didn't have the issue in the linked solution regarding inherited permissions. Came out flawless.

share|improve this answer

answered yesterday

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

I ended up trying everything I could think of and never got SetACL to work. By using a mapping file with the old SIDs mapped to the accounts in the new domain I was able to get it to run through with no errors. It actually said it was applying the ACLs. But it never actually changed any permissions. Had the same results when doing it manually one at a time. I'm assuming this is because it can't reach out to the old domain, so it just skips along to the next one. In the end, I went back to the old domain and used a PS script to export the current permissions. Then did a quick edit to that CSV to change the accounts listed to the new ones, then went back to the new domain and ran a different PS script to import and apply the permissions.

Scrips I used came from here. And since I was moving the data instead of copying it over, I didn't have the issue in the linked solution regarding inherited permissions. Came out flawless.

share|improve this answer

answered yesterday

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered yesterday

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered yesterday

DaveDave

61

New contributor

Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered yesterday

DaveDave

61

0

You can use icacls to export and import your permissions, while also replacing any group/user.

Example: icacls D:Main /save Main_Perms.cfg /t /c

If needed, the saved file can be altered and adapted to new user names. Replacing a specific user name group is just a mass-rename in the file of the NTFS S-ID.

Then you can import them back: icacls D: /restore Main_Perms.cfg /t /c

Note: when restoring permissions from the file, you should specify the path to the parent directory instead.

share|improve this answer

answered 6 hours ago

OvermindOvermind

936512

add a comment | 

0

You can use icacls to export and import your permissions, while also replacing any group/user.

Example: icacls D:Main /save Main_Perms.cfg /t /c

If needed, the saved file can be altered and adapted to new user names. Replacing a specific user name group is just a mass-rename in the file of the NTFS S-ID.

Then you can import them back: icacls D: /restore Main_Perms.cfg /t /c

Note: when restoring permissions from the file, you should specify the path to the parent directory instead.

share|improve this answer

answered 6 hours ago

OvermindOvermind

936512

add a comment | 

You can use icacls to export and import your permissions, while also replacing any group/user.

Example: icacls D:Main /save Main_Perms.cfg /t /c

If needed, the saved file can be altered and adapted to new user names. Replacing a specific user name group is just a mass-rename in the file of the NTFS S-ID.

Then you can import them back: icacls D: /restore Main_Perms.cfg /t /c

Note: when restoring permissions from the file, you should specify the path to the parent directory instead.

share|improve this answer

answered 6 hours ago

OvermindOvermind

936512

share|improve this answer

answered 6 hours ago

OvermindOvermind

936512

answered 6 hours ago

OvermindOvermind

936512

answered 6 hours ago

OvermindOvermind

936512