Windows File Server Migration - Without TrustWindows 2003 Permissions ProblemList existing file server...
Why is commutativity optional in multiplication for rings?
Can chords be played on the flute?
Why do neural networks need so many training examples to perform?
Skis versus snow shoes - when to choose which for travelling the backcountry?
Criticizing long fiction. How is it different from short?
How would an AI self awareness kill switch work?
Eww, those bytes are gross
Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?
What do the pedals on grand pianos do?
If I delete my router's history can my ISP still provide it to my parents?
g++ and clang++ different behaviour with recursive initialization of a static member
How can I mix up weapons for large groups of similar monsters/characters?
What is the purpose of easy combat scenarios that don't need resource expenditure?
I am on the US no-fly list. What can I do in order to be allowed on flights which go through US airspace?
Understanding CSS letter-spacing: is it valid to replace the default value of normal with 0?
what is the difference between throw e and throw new Exception(e)
How to approximate rolls for potions of healing using only d6's?
Finding the number of integers that are a square and a cube at the same time
What to do when being responsible for data protection in your lab, yet advice is ignored?
What's the purpose of these copper coils with resitors inside them in A Yamaha RX-V396RDS amplifier?
Charged enclosed by the sphere
What prevents the construction of a CPU with all necessary memory represented in registers?
Do my Windows system binaries contain sensitive information?
Finding the value of P(x)
Windows File Server Migration - Without Trust
Windows 2003 Permissions ProblemList existing file server permission groups/usersWhat is the most efficent way to grant a user ready-only permisson to all folders and files on a file server?Moving Windows Users Home directorysReplace User within Active Directory File Server ShareServer 2008 R2 > 2012 MigrationWill Windows Server 2012 support a nested conditional forwarder?Why can't I see the file version of files in system32 remotely?Domain & file server migrationFile server for two windows domain
We are about to migrate our file server (Windows Server 2012) from its current domain to a new domain.
Due to issues outside my control, there will be no domain trusts or even DNS forwarders from the new domain back to the old domain. So, I need a way to replace the ACLs with the groups and user names from the new domain. Group names will be the same, but username structure has changed, so there will be a mapping file involved.
I found SetACL while I was searching, but I can't tell from my initial reading if it needs to have access to both domains. If it needs that, then I'm out of luck. I'm really hoping to avoid manually rebuilding permissions on our entire file server, so hopefully somebody has a good solution.
windows-server-2012 network-share file-permissions
New contributor
add a comment |
We are about to migrate our file server (Windows Server 2012) from its current domain to a new domain.
Due to issues outside my control, there will be no domain trusts or even DNS forwarders from the new domain back to the old domain. So, I need a way to replace the ACLs with the groups and user names from the new domain. Group names will be the same, but username structure has changed, so there will be a mapping file involved.
I found SetACL while I was searching, but I can't tell from my initial reading if it needs to have access to both domains. If it needs that, then I'm out of luck. I'm really hoping to avoid manually rebuilding permissions on our entire file server, so hopefully somebody has a good solution.
windows-server-2012 network-share file-permissions
New contributor
So practically you need a way to mass-apply new permissions ?
– Overmind
Mar 1 at 7:59
1
helgeklein.com/blog/2012/07/…
– joeqwerty
2 days ago
@Overmind yes, we need to mass-apply new permissions.
– Dave
2 days ago
@joeqwerty that is one I found. I can't tell though from reading if that tool needs access to the old domain and the new domain. I'm worried that once we take the server out of the old domain, it won't be able to match everything up since the mapping file would be usernames not SID.
– Dave
2 days ago
add a comment |
We are about to migrate our file server (Windows Server 2012) from its current domain to a new domain.
Due to issues outside my control, there will be no domain trusts or even DNS forwarders from the new domain back to the old domain. So, I need a way to replace the ACLs with the groups and user names from the new domain. Group names will be the same, but username structure has changed, so there will be a mapping file involved.
I found SetACL while I was searching, but I can't tell from my initial reading if it needs to have access to both domains. If it needs that, then I'm out of luck. I'm really hoping to avoid manually rebuilding permissions on our entire file server, so hopefully somebody has a good solution.
windows-server-2012 network-share file-permissions
New contributor
We are about to migrate our file server (Windows Server 2012) from its current domain to a new domain.
Due to issues outside my control, there will be no domain trusts or even DNS forwarders from the new domain back to the old domain. So, I need a way to replace the ACLs with the groups and user names from the new domain. Group names will be the same, but username structure has changed, so there will be a mapping file involved.
I found SetACL while I was searching, but I can't tell from my initial reading if it needs to have access to both domains. If it needs that, then I'm out of luck. I'm really hoping to avoid manually rebuilding permissions on our entire file server, so hopefully somebody has a good solution.
windows-server-2012 network-share file-permissions
windows-server-2012 network-share file-permissions
New contributor
New contributor
edited 2 days ago
scetoaux
1,03211025
1,03211025
New contributor
asked Mar 1 at 7:37
DaveDave
61
61
New contributor
New contributor
So practically you need a way to mass-apply new permissions ?
– Overmind
Mar 1 at 7:59
1
helgeklein.com/blog/2012/07/…
– joeqwerty
2 days ago
@Overmind yes, we need to mass-apply new permissions.
– Dave
2 days ago
@joeqwerty that is one I found. I can't tell though from reading if that tool needs access to the old domain and the new domain. I'm worried that once we take the server out of the old domain, it won't be able to match everything up since the mapping file would be usernames not SID.
– Dave
2 days ago
add a comment |
So practically you need a way to mass-apply new permissions ?
– Overmind
Mar 1 at 7:59
1
helgeklein.com/blog/2012/07/…
– joeqwerty
2 days ago
@Overmind yes, we need to mass-apply new permissions.
– Dave
2 days ago
@joeqwerty that is one I found. I can't tell though from reading if that tool needs access to the old domain and the new domain. I'm worried that once we take the server out of the old domain, it won't be able to match everything up since the mapping file would be usernames not SID.
– Dave
2 days ago
So practically you need a way to mass-apply new permissions ?
– Overmind
Mar 1 at 7:59
So practically you need a way to mass-apply new permissions ?
– Overmind
Mar 1 at 7:59
1
1
helgeklein.com/blog/2012/07/…
– joeqwerty
2 days ago
helgeklein.com/blog/2012/07/…
– joeqwerty
2 days ago
@Overmind yes, we need to mass-apply new permissions.
– Dave
2 days ago
@Overmind yes, we need to mass-apply new permissions.
– Dave
2 days ago
@joeqwerty that is one I found. I can't tell though from reading if that tool needs access to the old domain and the new domain. I'm worried that once we take the server out of the old domain, it won't be able to match everything up since the mapping file would be usernames not SID.
– Dave
2 days ago
@joeqwerty that is one I found. I can't tell though from reading if that tool needs access to the old domain and the new domain. I'm worried that once we take the server out of the old domain, it won't be able to match everything up since the mapping file would be usernames not SID.
– Dave
2 days ago
add a comment |
2 Answers
2
active
oldest
votes
I ended up trying everything I could think of and never got SetACL to work. By using a mapping file with the old SIDs mapped to the accounts in the new domain I was able to get it to run through with no errors. It actually said it was applying the ACLs. But it never actually changed any permissions. Had the same results when doing it manually one at a time. I'm assuming this is because it can't reach out to the old domain, so it just skips along to the next one. In the end, I went back to the old domain and used a PS script to export the current permissions. Then did a quick edit to that CSV to change the accounts listed to the new ones, then went back to the new domain and ran a different PS script to import and apply the permissions.
Scrips I used came from here. And since I was moving the data instead of copying it over, I didn't have the issue in the linked solution regarding inherited permissions. Came out flawless.
New contributor
add a comment |
You can use icacls to export and import your permissions, while also replacing any group/user.
Example: icacls D:Main /save Main_Perms.cfg /t /c
If needed, the saved file can be altered and adapted to new user names. Replacing a specific user name group is just a mass-rename in the file of the NTFS S-ID.
Then you can import them back: icacls D: /restore Main_Perms.cfg /t /c
Note: when restoring permissions from the file, you should specify the path to the parent directory instead.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Dave is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956281%2fwindows-file-server-migration-without-trust%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I ended up trying everything I could think of and never got SetACL to work. By using a mapping file with the old SIDs mapped to the accounts in the new domain I was able to get it to run through with no errors. It actually said it was applying the ACLs. But it never actually changed any permissions. Had the same results when doing it manually one at a time. I'm assuming this is because it can't reach out to the old domain, so it just skips along to the next one. In the end, I went back to the old domain and used a PS script to export the current permissions. Then did a quick edit to that CSV to change the accounts listed to the new ones, then went back to the new domain and ran a different PS script to import and apply the permissions.
Scrips I used came from here. And since I was moving the data instead of copying it over, I didn't have the issue in the linked solution regarding inherited permissions. Came out flawless.
New contributor
add a comment |
I ended up trying everything I could think of and never got SetACL to work. By using a mapping file with the old SIDs mapped to the accounts in the new domain I was able to get it to run through with no errors. It actually said it was applying the ACLs. But it never actually changed any permissions. Had the same results when doing it manually one at a time. I'm assuming this is because it can't reach out to the old domain, so it just skips along to the next one. In the end, I went back to the old domain and used a PS script to export the current permissions. Then did a quick edit to that CSV to change the accounts listed to the new ones, then went back to the new domain and ran a different PS script to import and apply the permissions.
Scrips I used came from here. And since I was moving the data instead of copying it over, I didn't have the issue in the linked solution regarding inherited permissions. Came out flawless.
New contributor
add a comment |
I ended up trying everything I could think of and never got SetACL to work. By using a mapping file with the old SIDs mapped to the accounts in the new domain I was able to get it to run through with no errors. It actually said it was applying the ACLs. But it never actually changed any permissions. Had the same results when doing it manually one at a time. I'm assuming this is because it can't reach out to the old domain, so it just skips along to the next one. In the end, I went back to the old domain and used a PS script to export the current permissions. Then did a quick edit to that CSV to change the accounts listed to the new ones, then went back to the new domain and ran a different PS script to import and apply the permissions.
Scrips I used came from here. And since I was moving the data instead of copying it over, I didn't have the issue in the linked solution regarding inherited permissions. Came out flawless.
New contributor
I ended up trying everything I could think of and never got SetACL to work. By using a mapping file with the old SIDs mapped to the accounts in the new domain I was able to get it to run through with no errors. It actually said it was applying the ACLs. But it never actually changed any permissions. Had the same results when doing it manually one at a time. I'm assuming this is because it can't reach out to the old domain, so it just skips along to the next one. In the end, I went back to the old domain and used a PS script to export the current permissions. Then did a quick edit to that CSV to change the accounts listed to the new ones, then went back to the new domain and ran a different PS script to import and apply the permissions.
Scrips I used came from here. And since I was moving the data instead of copying it over, I didn't have the issue in the linked solution regarding inherited permissions. Came out flawless.
New contributor
New contributor
answered yesterday
DaveDave
61
61
New contributor
New contributor
add a comment |
add a comment |
You can use icacls to export and import your permissions, while also replacing any group/user.
Example: icacls D:Main /save Main_Perms.cfg /t /c
If needed, the saved file can be altered and adapted to new user names. Replacing a specific user name group is just a mass-rename in the file of the NTFS S-ID.
Then you can import them back: icacls D: /restore Main_Perms.cfg /t /c
Note: when restoring permissions from the file, you should specify the path to the parent directory instead.
add a comment |
You can use icacls to export and import your permissions, while also replacing any group/user.
Example: icacls D:Main /save Main_Perms.cfg /t /c
If needed, the saved file can be altered and adapted to new user names. Replacing a specific user name group is just a mass-rename in the file of the NTFS S-ID.
Then you can import them back: icacls D: /restore Main_Perms.cfg /t /c
Note: when restoring permissions from the file, you should specify the path to the parent directory instead.
add a comment |
You can use icacls to export and import your permissions, while also replacing any group/user.
Example: icacls D:Main /save Main_Perms.cfg /t /c
If needed, the saved file can be altered and adapted to new user names. Replacing a specific user name group is just a mass-rename in the file of the NTFS S-ID.
Then you can import them back: icacls D: /restore Main_Perms.cfg /t /c
Note: when restoring permissions from the file, you should specify the path to the parent directory instead.
You can use icacls to export and import your permissions, while also replacing any group/user.
Example: icacls D:Main /save Main_Perms.cfg /t /c
If needed, the saved file can be altered and adapted to new user names. Replacing a specific user name group is just a mass-rename in the file of the NTFS S-ID.
Then you can import them back: icacls D: /restore Main_Perms.cfg /t /c
Note: when restoring permissions from the file, you should specify the path to the parent directory instead.
answered 6 hours ago
OvermindOvermind
936512
936512
add a comment |
add a comment |
Dave is a new contributor. Be nice, and check out our Code of Conduct.
Dave is a new contributor. Be nice, and check out our Code of Conduct.
Dave is a new contributor. Be nice, and check out our Code of Conduct.
Dave is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956281%2fwindows-file-server-migration-without-trust%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
So practically you need a way to mass-apply new permissions ?
– Overmind
Mar 1 at 7:59
1
helgeklein.com/blog/2012/07/…
– joeqwerty
2 days ago
@Overmind yes, we need to mass-apply new permissions.
– Dave
2 days ago
@joeqwerty that is one I found. I can't tell though from reading if that tool needs access to the old domain and the new domain. I'm worried that once we take the server out of the old domain, it won't be able to match everything up since the mapping file would be usernames not SID.
– Dave
2 days ago