ADMT and or Scripting ACL changes.

**pete** · 25th October 2006, 02:57 PM

I've just moved users, their passwords and SIDs from an NT4 domain to a 2003 one, I backed up the files on the old DC/fileserver using microsoft backup and am now restoring on the new dc/fileserver.

As the SIDs moved over ok, I was kind of expecting the permissions to reflect new domain membership, but they haven't (though they have retained old domain acls, and can use them - 2-way trust).

Have I missed something? If not, is there an easy way to script ACL changes such that an acl with OLDDOMAIN\JoeBloggs is converted to NEWDOMAIN\JoeBloggs? Is it possible to script this kind of search and replace with acls?

Sorry, I didn't rtfm before I posted - just noticed subinacl does have search and replace functionality.

**djm968** · 25th October 2006, 03:41 PM

It is possible to script ACL changes. I would write a script to set or remove permissions as required, something like this should do the trick

Code:

  for /f "Tokens=1,2 Delims=," %%a in (createusers.txt) do (
	cacls "userhomefolderpath\%%a" /T /G "newdomain\%%a":F /e
                cacls "userhomefolderpath\%%a" /T /E /R "olddomain\%%a"
)

To run this script you will need to export usernames from the active driectory to a txt file.

**Ric_** · 25th October 2006, 06:28 PM

Also read the thread at http://edugeek.net/index.php?name=Fo...ewtopic&t=3314 for a script that might do what you want

**ajbritton** · 25th October 2006, 07:10 PM

Did you use ADMT to migrate user accounts? If you did, then the new user accounts should have the old SIDs in the SID History fields.

**pete** · 25th October 2006, 08:38 PM

Thanks all,

Since the permissions from the old domain are still there I dumped a list of users and groups and then just called subinacl to replace domain1\user with domain\user2.

However, the permissions make no sense (in terms of who can access what), so I need to grab a deputy head and make them to write down who should have what.

@ajbritton,
Yeah, I did. I was expecting olddomain\account to be automatically translated into newdomain\account when I looked at file > properties > security, but it didn't happen.

Migrating files from a ~ 10 year old file share is interesting.cn

LinkBack

Thread Tools

Search Thread

ADMT and or Scripting ACL changes.

Re: ADMT and or Scripting ACL changes.

Re: ADMT and or Scripting ACL changes.

Re: ADMT and or Scripting ACL changes.

Re: ADMT and or Scripting ACL changes.

Similar Threads

Scripting Resources

New to scripting

ADMT v2

ADMT V3

Scripting IP configuration.

Thread Information

Users Browsing this Thread

Posting Permissions