question

leeroberts-8039 avatar image
0 Votes"
leeroberts-8039 asked MotoX80 answered

Fix acl on copied data

I have recently migrated a domain. As part of the migration we created a trust and the copied the users & security groups from that domain to out AD. Today we got a copy of the shared data. This data included all the old ACL’s. Unfortunately these ACLs still relate to the old domain. I’ve been trying to change these using get-acl / set-acl but I’m having no luck. I was wondering if anyone had a script that can do this?

windows-serverwindows-server-powershell
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What did you use to migrate the domain? Usually, a tool would have update the sidHistory property on the new user with the SID from the old domain.

0 Votes 0 ·

Hi,

Thank you for getting back to me. That’s correct the Sid did come across with the migration. So the home drive folders work okay. All the security groups and membership migrated fine. But unfortunately the data had to be copied using robocopy. So when I check the security on the files it shows like below:

Group1 (olddomain\group1)

Instead of

Group 1 (newdomain\group 1)

Like all my other files

0 Votes 0 ·
leeroberts-8039 avatar image
0 Votes"
leeroberts-8039 answered RichMatheisen-8856 commented

This is what I have currently that display the permissions, but where i go from here is beyond my unfortunately

 $FolderPath = Get-ChildItem -Directory -Path "FilePath" -Recurse -Force
 $Output = @()
 ForEach ($Folder in $FolderPath) {
     $Acl = Get-Acl -Path $Folder.FullName
     ForEach ($Access in $Acl.Access) {
 $Properties = [ordered]@{'Folder Name'=$Folder.FullName;'Group/User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
 $Output += New-Object -TypeName PSObject -Property $Properties            
 }
 }
 $Output | Out-GridView
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You can really screw up an ACL if you aren't careful, making the file/directory inaccessible. Just sayin'.

If you're unsure about how to go about this, the ICACLS tool is probably the safest way to doing this.

If you want to use PowerShell there are numerous articles that will turn up with simple web searches like "set ntfs permissions powershell", "powershell change ACL SID", "Powershell NTFS permissions sid", etc.

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered RichMatheisen-8856 commented

The subinacl utility from the old Win2003 Resource Kit has a /replace switch which I used on Win10 to replace one local group with another.


 subinacl /subdirectories c:\temp\foo1\ /replace="Netmon Users"="IIS_IUSRS"

It also has some domain migration switches, but I no longer have access to an AD domain to test with.

 /action      :
     /replace=[DomainName\]OldAccount=[DomainName\]New_Account
     /accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account
     /changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]



I have SubInAcl version 5.2.3790.1180, but I don't remember where I got it from. I looked for it on MS's download site but I can't find it.

I found this link, but I don't know if I trust it. If you download it, I'd recommend doing it in a sandbox environment and scan for malware. And definitely test it on some sample folders before you touch your main data.

https://windows-resource-kit-tools-subinacl-exe.software.informer.com/

@RichMatheisen-8856 any help with subinacl?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MS took down the link for that stuff a long time ago! But how about from here? confirmation.aspx or here? a8bf4c50-1d43-4f03-b6f9-f62deab010fb

Keep in mind that it's not supported on anything later than Windows Server 2003.

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered

Did subinacl work or are you still looking for a script?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.