HowTo: ReACLing a File Server in a Domain Migration with SetACL 3.0

Helge's Tools
Published Jul 11, 2012 Updated Jun 21, 2021

When you are planning a migration of user accounts between domains one task always pops up pretty quickly: reassigning the permissions of the users in the source domain to the corresponding users in the target domain, in other words reACLing the file server.

Migration - the Simple Way

SetACL, the free permissions management command line tool, has had a function to automate that task for a long time. Its domain action allows you to simply copy all permissions from a source domain to a target domain:

SetACL -on D:\Data -ot file -actn domain -dom n1:MyOldDomain;n2:MyNewDomain;da:cpydom -rec cont_obj

This copies permissions for all files and directories below D:\Data from MyOldDomain to MyNewDomain. This approach is easy and works very well, but, as always, there is a catch: it can be used only if the user names do not change in the migration. Unfortunately, this is not always the case. Organizations tend to use occasions like a migration to thoroughly spring-clean their account naming convention (“since we’re migrating anyway we might as well change the names, too!”). Or you might be involved in a more complex migration where multiple domains are consolidated. Or you just want more control over the reACLing process. Until yesterday, you had to put your scripting hat on and start hacking away to solve the more advanced scenarios. With the release of SetACL 3 this is not necessary any more.

[Monte Vista Sandhill Crane Trip](http://www.flickr.com/photos/smazurov/3841377281/) by [Stepan Mazurov](http://www.flickr.com/photos/smazurov/) under [CC](http://creativecommons.org/licenses/by-sa/2.0/deed.de) — Monte Vista Sandhill Crane Trip by Stepan Mazurov under CC

Migration - the Flexible Way

SetACL 3 comes with a more flexible way of handling permissions migrations. Its enhanced migration engine can be used to migrate intra-domain, inter-domain or any mix of the two. To start a migration using the flexible model use a command line similar to the following:

SetACL -on D:\Data -ot file -actn trustee -trst csv:C:\temp\mappings.csv;ta:cpytrst -rec cont_obj

This instructs SetACL to copy permissions between individual users or groups for the D:\Data directory tree. Which accounts the migrations is performed for is read from a simple CSV file, mappings.csv in the example, whose contents might look like this:

MyOldDomain\Joe,MyNewDomain\Peter
MyOldDomain\Mary,MyNewDomain\Mary
MyOldDomain\DG-OldDom-HelpDesk,MyNewDomain\DG-NewDom-HelpDesk
MyOtherDom\Fred,MyNewDomain\Fred

As you can see, the system is flexible, powerful, and easy to use. All you have to do is create a mapping table pairing old accounts with new accounts. If you do not want to do that or if you think it is just too much bother: the simpler method presented above still works and is still considered useful in many scenarios.

Domain Migration Re-ACL SetACL

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Finding (Executables in) User-Writeable Directories

Finding (Executables in) User-Writeable Directories

This article presents two different detection types for insecure filesystem permissions on Windows endpoints: scanning for directories that are user-writable, and detecting processes that are started from user-writeable directories. Directory Scan With ListUserWriteableDirectories & SetACL My ListUserWriteableDirectories script is an implementation of the first detection type: it scans the filesystem listing any permissions not known to be safe.

Half a Million Downloads of SetACL

Half a Million Downloads of SetACL

Last month SetACL reached the magic number of 500,000 downloads. That is a lot, especially for a command-line tool which is focused on a very specific aspect of system administration.

Upgrading Ubuntu 20.04 to 22.04 & PHP 7.4 to 8.1 for WordPress

Upgrading Ubuntu 20.04 to 22.04 & PHP 7.4 to 8.1 for WordPress

This post describes how I upgraded our web server running WordPress on Apache from Ubuntu 20.04.5 LTS to 22.04.1 LTS. Please see this article for more information on the server’s original installation and configuration.

Guide: WordPress on Dockerized Apache on Hetzner Cloud

Guide: WordPress on Dockerized Apache on Hetzner Cloud

If you’ve followed this blog for a while, you may have noticed that I’ve used a traditionally installed (i.e., not dockerized) LAMP stack for its server setup since 2014. Only recently did I switch to Docker containers. Why? Maintenance. Much facilitated maintenance. If you take a look at the articles I’ve written over the years describing how to upgrade to newer versions of Ubuntu or - god beware - PHP, you can’t help but realize what a godawful PITA it all is. Switching to Docker enforces (or at least strongly encourages) a strict separation of (public) code and (personal) configuration. With this new setup, upgrading from one PHP version to another involves nothing more than changing a version number in a text file.

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration

After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.

Mitsubishi Heat Pump Data in Home Assistant via Modbus

Mitsubishi Heat Pump Data in Home Assistant via Modbus

This article shows how to get detailed information about your Mitsubishi heat pump’s status and operations into Home Assistant. Prerequisites You’ll need a Mitsubishi Modbus interface, either the older A1M (serial Modbus/RTU via RS-485 only) or the newer A1M+ (Modbus/TCP via Ethernet in addition to Modbux/RTU). I’m using the Ethernet variant.

Home Automation, Networking & Self-Hosting