HowTo: ReACLing a File Server in a Domain Migration with SetACL 3.0
When you are planning a migration of user accounts between domains one task always pops up pretty quickly: reassigning the permissions of the users in the source domain to the corresponding users in the target domain, in other words reACLing the file server.
Migration – the Simple Way
SetACL, the free permissions management command line tool, has had a function to automate that task for a long time. Its domain action allows you to simply copy all permissions from a source domain to a target domain:
SetACL -on D:\Data -ot file -actn domain -dom n1:MyOldDomain;n2:MyNewDomain;da:cpydom -rec cont_obj
This copies permissions for all files and directories below D:\Data from MyOldDomain to MyNewDomain.
This approach is easy and works very well, but, as always, there is a catch: it can be used only if the user names do not change in the migration. Unfortunately, this is not always the case. Organizations tend to use occasions like a migration to thoroughly spring-clean their account naming convention (“since we’re migrating anyway we might as well change the names, too!”). Or you might be involved in a more complex migration where multiple domains are consolidated. Or you just want more control over the reACLing process. Until yesterday, you had to put your scripting hat on and start hacking away to solve the more advanced scenarios. With the release of SetACL 3 this is not necessary any more.
Migration – the Flexible Way
SetACL 3 comes with a more flexible way of handling permissions migrations. Its enhanced migration engine can be used to migrate intra-domain, inter-domain or any mix of the two. To start a migration using the flexible model use a command line similar to the following:
SetACL -on D:\Data -ot file -actn trustee -trst csv:C:\temp\mappings.csv;ta:cpytrst -rec cont_obj
This instructs SetACL to copy permissions between individual users or groups for the D:\Data directory tree. Which accounts the migrations is performed for is read from a simple CSV file, mappings.csv in the example, whose contents might look like this:
MyOldDomain\Joe,MyNewDomain\Peter
MyOldDomain\Mary,MyNewDomain\Mary
MyOldDomain\DG-OldDom-HelpDesk,MyNewDomain\DG-NewDom-HelpDesk
MyOtherDom\Fred,MyNewDomain\Fred
As you can see, the system is flexible, powerful, and easy to use. All you have to do is create a mapping table pairing old accounts with new accounts. If you do not want to do that or if you think it is just too much bother: the simpler method presented above still works and is still considered useful in many scenarios.
26 Comments
I have a question about this approach. can the same process for using a map file work for changing owner Sid’s as well?
See my answer here: https://helgeklein.com/forum/responses/use-csv-map-file-to-change-owners-on-file-permissions-for-domain-migration
I guess there is problem with permissions if folders have spaces. like “My Documents” in that case it doesnt work in my case. Any idea how to solve it ? :)
Why is SETACL based on the username? Why can’t it use the SID since user accounts that are migrated from domain A to domain B usually have the same SID when using a tool like ADMT.
We ran this command, although on a directory with many subfolders (200+) it did not work, so we ran a powershell foreach command to get around that. It successfully copies the user, but none of the actual permissions are checked… parameter we missed?
Also, we used the simple way since all of the usernames stayed the same.
Please post technical questions about our software in the forum.
How do you create a mapping file for migrated users from 1 domain to another with the same SID? Is there a tool or command that can parse both domains and match up the SIDS but export the domain1 and domain2 usernames?
Just trying to get my head around this powerful tool. I have used the example to migrate from one domain to another:
SetACL.exe -on “\\server1\share1\users” -ot file -actn domain
-rec cont_obj
-dom “n1:domain1;n2:domain2;da:repldom;w:dacl”
When I run the command:
SetACL.exe -on “\\server1\u$\Shared” -ot file –actn domain -rec cont_obj -dom “n1:domain 1;n2:domain 2;da:repldom;w:d,o” –log “C:\temp\SetACLReset.txt”
Receive the error message: Error in command line: Invalid option specified: -actn! I have used a similar command to get a backup and it works fine. I just can’t work out where this command is wrong! I am sure it is a simple error somewhere!
Appreciate your assistance. Thank you.
Hi there,
I used this command to test:
SetACL -on D:\test -ot file -actn domain -dom n1:MyOldDomain;n2:MyNewDomain;da:cpydom -rec cont_obj
Good news is, it does add the group from MyNewDomain to the folder and subfolders of d:\test, but, the permissions of the new addition did not match the permissions of the group from MyOldDomain.
MyOldDomain has a group called ACCOUNTING
MyNewDomain also has a group called ACCOUNTING.
ACCOUNTING has modify access. But, when running this command, the new domain ACCOUNTING’s permissions was set to special, not modify.. Do you have a fix for this?
Hi,
I really love this tools! Unfortunately there are few bugs in the DOMAIN action:
1) without trust is trying to reach the domain controllers from other domains using NETBIOS name instead of the FQDN.
Workaround: use the DNS search suffixes
2) Migration of the ACEs from Domain1 to Domain2 is changing the perm. ex: List -> Modified and more!
DO NOT USE DOMAIN ACTION!
@Helge how we could help you to fix your tool? Donations? :) Source Code Sharing?
You the great! Don’t let your tool die, please :)
Thank you
Ondrej Soukup
Hi,
Getting the follwing error
SetACL -on W:\Office Managment -ot file -actn domain -dom n1:iXXXX;n2:XXXX;da:cpydom -rec cont_obj
getting ERROR in command line: No parameter found for option Managment!
thanks
Hi
I agree with RedPlumpTomato;s comments. It is not copying the exact permission. All the folder updated with full permission for the group.
use gs copy
It does not keep the same source permission to target folder during cpydom. Is there any option to correct this? Also, I am looking to. Export the source permission and modify the access and restore with new domain. Is there any option to enable the inheritance only for files, not for for folders .Icalcs is not working to enable the inheritance on file level.
nice article
Hello Helge, i put the Output to a Logfile. Is it possible to hide INFO Messages and just Log Errors?
Thanks Alex
Tried using the remdom domain action to remove all ACE’s belonging to a domain. It gets rid of some but not all. Running many times gets rid of all eventually.
It would be great to see this tool updated with bug fixes. Also CSV input for adding ACE’s rather than command line would be great.
Trying to use the command line version for SetACL (3.0.6).
I assume the .exe just needs to be extracted and the command run form that directory but I’m getting cmdlet not found.
Thanks.
when i run the command:
SetACL -on E:\Shares\ -ot file -actn trustee -trst csv:”C:\RDUserMappings.csv”;ta:cpytrst -rec cont_obj -ignoreerr -log “c:\\setacllogcpytrst.txt”
I just get “SetACL error message: The SID for a trustee could not be found”
log doesn’t tell me which SID cannot be found so troubleshooting this in a (very) long list of mappings is near impossible.
plus -ignoreerr is not being adhered to; its stopping at an error.
In a file server migration scenario, do you run SetACL on the source or destination server?
how to restrict the command to migrate permissions only folders and not on files
FYI… When running SetACL, if you see a SID can’t be found error (or something similar), try specifying the SID instead of the SAMAccountname.
Is there a way to change the domain when the user is the same but the old domain is not available? Thanks a lot.
Can this be done separately without a domain trust? To install Server Essentials 2019 from scratch, I have to shut down 2012. I did this years ago with subinacl but it’s not supported now:
for /f “tokens=1,* delims=,,,” %%d in (usersngroups.csv) do (subinacl.exe /subdirectories “H:\SHARED\*.*” /replace=%%d=”COMPANY\%%e”)
Then usersngroups.csv contain a list of SIDs and names:
S-1-5-21-117609710-1801674531-682003330-4665,sean
Do you find a solution for setacl without domain / forest Trust?
Mapping table (csv) on SIDs for example?