1

Ok this is a bit of a hard scenario.

We are in the middle of a domain migration, we aren't doing it all at once which means gradually we will move users over at a time. This means that we need to be able to have the users permissions for the company shared drive mirror their new account.

Currently the company shared drive is located on the old domain.

Example: Auser is in Olddomain. Auser is able to access different folders/files in Oldcompanyshare.

Auser will now migrate over to Newdomain. Auser gets a new username for Newdomain which is NAuser. NAuser needs to have the same folder permissions that Auser has to view files within Oldcompanyshare which is part of Olddomain.

Please help, otherwise I NAuser will need to be given permissions manually which is a major time killer.

Fileshare is Windows Server 2012 R2 based.

Eddie15421
  • 11
  • 1
  • Is there any reason you can't establish trusts between the domains, and add both old and new users to the ACLs in places they need to access? – Matthew Wetmore Dec 05 '17 at 23:26

2 Answers2

0

Do the permissions on the objects reference the users directly, or do they use groups? In other words, do files/folders under Oldcompanyshare have ACLs which mention Auser, or do they use a group like Accounting? [Later OP comment reveals it is both, and that a trust relationship exists between the domains.]

Where permissions are assigned using groups, all you need to do is put the NAuser in the appropriate group(s) on the old domain.

Where permissions are assigned directly to the user, it gets ugly. You'll need to have something walk the directory trees on the old systems, looking for Auser and adding or replacing the Access Control Entries (ACEs) with new ACEs which use something else.

You may want to take the opportunity to migrate to groups at this time. It will almost certainly pay off in the long run. Alternatively, you can add ACEs to the ACLs so that NAuser and Auser are both explicitly specified.

SUBINACL can do anything with enough work. It makes a straight replacement reasonably easy. As a first approximation, you would want something like:

SUBINACL /subdirectories "C:\path\to\Oldcompanyshare" /replace="Olddomain\Auser"="Newdomain\Newgroup"

That assumes you are moving to a new group. If you want to do the add-and-keep-old (prolly a good idea), I think you'll need to dump the ACLs to a file, transform that file to what you want, and then replay the ACLs back in. It will be slow and cumbersome, but beats manually editing a bunch of ACLs. (On the other hand, if you only have a few ACLs, a one-off manual GUI edit might be easier.)

Download SUBINACL from Microsoft

Ben Scott
  • 370
  • 1
  • 7
  • So yes to add to that Trust Relationship between domains are set up. We are using Groups for some of the folders but there are a lot of folders which uses usernames to assign permissions. – Eddie15421 Dec 05 '17 at 22:29
  • OK, I've edited to reflect the more complicated scenario. – Ben Scott Dec 05 '17 at 22:44
  • Thanks Ben, I was able to test that out on a single folder. I guess the question is, would there be anyway to make that work for a tree of folders. Example we have J:\Oldcompanyshare\company\sales\shared and we want to add lets say newdomain\DomainUsers to that directory and have it effect all folders from there and below that currently have olddomain\DomainUsers, I figure its best to add than replace for backup strategies. – Eddie15421 Dec 06 '17 at 18:18
  • Would it be as simple as just granting permission to "newdomain\Domain Users" on the top-level folder and letting normal ACL inheritance propagation take care of the rest? In other words, normally, if you grant a group permission to a top-level folder, everything in all subdirectories gets the permission, too. I'm guessing you need something more sophisticated but want to make sure. :) – Ben Scott Dec 06 '17 at 18:31
  • Thanks for asking :), So yes if I said hey I got newdomain\Domain Users, and I need it to be added to all the folders from here and below and to match permissions that olddomain\Domain Users has, if a certain folder does not have olddomain\Domain Users, then skip that folder. Sorry I'm pretty new at this but this is certainly opening up new experiences for me, so thank you for all your help! – Eddie15421 Dec 06 '17 at 21:40
0

There is no built-in, automated way to do this within Windows itself if permissions are assigned directly to user accounts. Note that this is a reason that best-practice for permissions is to create groups for permission to resources, groups for user/business roles, add users to the relevant user/business role groups, then add the user/business role groups as members of the resource permission groups. I can't find the Microsoft article I've read through, but this article has essentially the same recommendations/information.

You will likely have to either manually convert to the nested group/RBAC best practice style, or use some type of scripting to duplicate user permissions for every share/file (foreach share or file, read in existing permissions, add permissions for new domain for corresponding users, and recurse through everything).

Jason Rush
  • 376
  • 2
  • 6