Data Migration
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
Data Migration

 
Post new topic   Reply to topic    Windows Server Forum Index -> Migration
Author Message
Tony
Guest
Posted: Mon Oct 17, 2005 8:51 pm    Post subject: Data Migration Reply with quote
After reading info on the File Server Migration tool, I am still unclear
about permissions on files that will be migrated to the new Windows 2003
domain. I currently have an NT 4.0 domain.

After the migration of the data, will the ACL's be "olddomain\user" and the
new domain user access the file using SID history or will the ACL's be
changed to "newdomain\uer"?

Thanks

Tony
Back to top
Ada Pan [MSFT]
Guest
Posted: Tue Oct 18, 2005 8:51 am    Post subject: RE: Data Migration Reply with quote
Hi Tony,

The former that the ACLs will be "olddomain\user" and the new domain users
access the files using SID history is correct.

If you want to replace NT ACLs with 2k3 ACLs, you can use SubInACL tool.
SubInACL is a command-line tool that enables administrators to obtain
security information about files, registry keys, and services, and transfer
this information from user to user, from local or global group to group,
and from domain to domain. To download Subinacl.exe, see"SubInACL
(SubInACL.exe)" on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=23418.

For example, you can use the following command below.

Subinacl /subdirectories x:\directory\*.* /replace=oldsid=newsid

OR

subinacl /subdirectories x:\directory\*.* /replace=
NTDOMAIN\FILEUSERS=W2K3DOMAIN\FILEUSERS

For additional information about the syntax and usage of the Subinacl.exe
utility, type subinacl /help at the command line.

Using the Command Line to Edit Multiple Subdirectory Permissions
http://support.microsoft.com/kb/265360

Download details: SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-
93cf-ed6985e3927b&displaylang=en

Hope it helps.

Regards,

Ada Pan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Back to top
Tony
Guest
Posted: Tue Oct 18, 2005 8:51 pm    Post subject: RE: Data Migration Reply with quote
So can I use a wildcard to replace "oldomain\*" with "newdomain\*"? I'd like
to be able to just change the domain without having to know the existing ACL
at all. Can I do this?

Tony

"Ada Pan [MSFT]" wrote:

Quote:
Hi Tony,

The former that the ACLs will be "olddomain\user" and the new domain users
access the files using SID history is correct.

If you want to replace NT ACLs with 2k3 ACLs, you can use SubInACL tool.
SubInACL is a command-line tool that enables administrators to obtain
security information about files, registry keys, and services, and transfer
this information from user to user, from local or global group to group,
and from domain to domain. To download Subinacl.exe, see"SubInACL
(SubInACL.exe)" on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=23418.

For example, you can use the following command below.

Subinacl /subdirectories x:\directory\*.* /replace=oldsid=newsid

OR

subinacl /subdirectories x:\directory\*.* /replace=
NTDOMAIN\FILEUSERS=W2K3DOMAIN\FILEUSERS

For additional information about the syntax and usage of the Subinacl.exe
utility, type subinacl /help at the command line.

Using the Command Line to Edit Multiple Subdirectory Permissions
http://support.microsoft.com/kb/265360

Download details: SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-
93cf-ed6985e3927b&displaylang=en

Hope it helps.

Regards,

Ada Pan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Back to top
Ada Pan [MSFT]
Guest
Posted: Thu Oct 20, 2005 4:51 pm    Post subject: RE: Data Migration Reply with quote
Hi Tony,

You need to use /changedomain switch.

For example, /changedomain=OldDomainName=NewDomainName replaces all ACEs
with a SID from OldDomainName with the equivalent SID found in NewDomainName

For more information about the usage of SubInAcl, you can type subinacl /?
in a command prompt.

======================================
SubInAcl version 4, 0, 1, 1604

USAGE
-----

Usage :
SubInAcl [/option...] /object_type object_name
[[/action[=parameter]...]

/options :
/outputlog=FileName /errorlog=FileName
/noverbose /verbose (default)
/notestmode (default=/notestmode) /testmode
/alternatesamserver=SamServer /offlinesam=FileName
/stringreplaceonoutput=string1=string2
/expandenvironmentsymbols (default) /noexpandenvironmentsymbols
/statistic (default) /nostatistic
/dumpcachedsids=FileName /separator=character

/object_type :
/service /keyreg /subkeyreg
/file /subdirectories[=directoriesonly|filesonly]
/clustershare /kernelobject /metabase
/printer /onlyfile /process
/share /samobject

/action :
/display[=dacl|sacl|owner|primarygroup|sdsize|sddl] (default)
/setowner=owner
/replace=[DomainName\]OldAccount=[DomainName\]New_Account
/accountmigration=[DomainName\]OldAccount=[DomainName\]New_Account
/changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]
/migratetodomain=SourceDomain=DestDomain=[MappingFile[=Both]]
/findsid=[DomainName\]Account[=stop|continue]
/suppresssid=[DomainName\]Account
/confirm
/ifchangecontinue
/cleandeletedsidsfrom=DomainName[=dacl|sacl|owner|primarygroup|all]
/testmode
/accesscheck=[DomainName\]Username
/setprimarygroup=[DomainName\]Group
/grant=[DomainName\]Username[=Access]
/deny=[DomainName\]Username[=Access]
/sgrant=[DomainName\]Username[=Access]
-- Press Return To Continue ----
/sdeny=[DomainName\]Username[=Access]
/revoke=[DomainName\]Username
/perm
/audit
/compactsecuritydescriptor
/pathexclude=pattern
/objectexclude=pattern
/sddl=sddl_string

Usage : SubInAcl [/option...] /playfile file_name

Usage : SubInAcl /help [keyword]
SubInAcl /help /full
keyword can be :
features usage syntax sids view_mode test_mode object_type
domain_migration server_migration substitution_features editing_features
- or -
any [/option] [/action] [/object_type]
======================================

Hope it helps.

Regards,

Ada Pan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> Migration All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB