question

mrnatsuken-6292 avatar image
0 Votes"
mrnatsuken-6292 asked MotoX80 commented

how to add new domain's NTFS permissions and keeping old ones

Hi Microsoft Community!

Background: New fileserver (WS2016) for new destination domain has the same folder structure as old fileserver (WS2008R2)from source domain
Also has the files copied over to the destination file server. Existing NTFS permissions (from source domain) was also copied over.
Most user accounts and security groups also have been already migrated.


For a folder example:


SrceF1 folder currently have NTFS permissions with the following:
CREATOR
SYSTEM
SRCLocal1\Administrators
SRCLocal1\Users
SRCDomain\Help1


         DestF1 folder currently have NTFS permissions with the following:

CREATOR
SYSTEM
DESTLocal\Administrators
DESTDomain\Administrators
SRCDomain\Help1


Note: The above example is just top level folder. There will be subfolders with different NTFS permissions


Objective:


To add new domain NTFS permissions to destination folder(s) checking against existing NTFS permissions from source domain
DestF1 folder will have NTFS permissions like below
CREATOR
SYSTEM
DESTLocal\Administrators
DESTDomain\Administrators
SRCDomain\Help1
DESTDomain\Help1


Attempts:
(RUN as Admin)
Subinacl -
I exported source domain SIDs as well as destination domain SIDs in a mapped .txt file. The file has sourceSID = destinationSID
I then tried to use the subinacl command tool with the migratetodomain switch. The commands run successfully, but nothing changed.
I also tried using icacls -
I’m able to save the NTFS permissions to a file but able to restore the permissions on the destination server but this only works for the DestF1folder. Access denied is the error message I get when I try this on the other folders.
Domain admin (destination) user has Full Control and is also the owner of the folder(s).

Powershell -
I also tried with Powershell the Get-ACL command and Set-ACL. I exported the source NTFS permissions into 2 separate files; one for the top level folder and another file for the subfolders. I then tried the following commands.
Ran successfully, but again no changes.


Ran successful also, but actually removed the SRCDomain\Help1 permissions

Maybe I need to use a for(each) loop , but not sure how to.
Thank you for any suggestions or feedback

windows-serverwindows-active-directorywindows-server-migration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi

Avoid to set a group from another domain on NTFS permission. I recommend you to create a local group in destination domain and add it in NTFS settings instead of SRCDomain\Help1. Once this new local group created and on set on each NTFS settings on destination domain, you can add SRCDOMAIN\Help1 as member in it. A local group can accept a member from another domain.

Please don't forget to mark helpful reply as answer

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered

How about trying subinacl's /replace switch. I used it with local groups so I would expect it to work with domain groups too.

https://docs.microsoft.com/en-us/answers/questions/520748/fix-acl-on-copied-data.html

 subinacl /subdirectories c:\temp\foo1\ /replace="Domain1\Group1"="Domain2\Group1"

Try it on a small test folder first.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mrnatsuken-6292 avatar image
0 Votes"
mrnatsuken-6292 answered MotoX80 commented

Thanks both for your reply.
Thameur,
The SRCDomain\Help1 is a security group that was migrated over and the NTFS permissions were copied using robocopy

MotoX80,
I can try that command but I’m not wanting to replace but instead add. So the destination folder would have both old domain and new domain NTFS permissions

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80,

Finally got to try your command and yep it indeed replace and not add. Also, it did not replace any sub-files permissions.

Is anyone else trying to do what I’m trying to do ?

0 Votes 0 ·
MotoX80 avatar image MotoX80 mrnatsuken-6292 ·

Also, it did not replace any sub-files permissions.

Is that good or bad? On the file servers that I helped support, we always managed permissions at the folder level. All files inherited the permissions from the folder that they resided in. And most sub folders inherited the permissions from their parent folder.

If you are removing inheritance from individual files and putting unique permissions on them, then I would think that micro managing those permissions might be rather time consuming.

If you are doing a domain migration, wouldn't you want to use the new domain's groups? And get rid of any reference to the old domain? I I would think that would be the cleanest method.


0 Votes 0 ·