Sign in with
Sign up | Sign in
Your question

Replacing domain SID on ACE's in DACL

Last response: in Windows 2000/NT
Share
Anonymous
October 14, 2004 10:55:09 AM

Archived from groups: microsoft.public.win2000.file_system,microsoft.public.windows.server.scripting,microsoft.public.windows.server.migration,microsoft.public.windows.server.security (More info?)

Apologies for the X-post but I was unsure were this should live.

I have about 10GB of data that now lives in a native Server 2003 domain.
All this data (due to the way the domain was migrated) is still ACL'd with
the groups from the legacy NT4 domain that it was migrated from. Access for
the users to the data is via sid history.

The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end of
the year. Before then I would like to re-ACL the data with the correct AD
groups which also contain the users accounts due to group sync scripts).

How is the best way to do this? All the command line and scripting
interfaces I have looked at do not determine if the group is AD or NT4.
Becuase of sid history they all resolve the group names with the AD groups
rather than the NT4 ones they actually are, so are not useful for me here.

Is there some software or script/api I can use the walk to DACL and
everytime it sees an 'explicit' ACE reference the old domain SID it will
either update the sid, or even better add the AD group and remove the NT4 one?

I assume I am not the only person who has run into this issue, so surely
there must be something out there? I have looked at the SIDwalker tool set
but it is not appropriate, requires to much manual intervention and will no
way scale to the size I need it two.

Any help appreciated, as december 31 is fast approaching :) 

Much thanks,
RobT
Anonymous
October 14, 2004 11:05:03 AM

Archived from groups: microsoft.public.win2000.file_system,microsoft.public.windows.server.scripting,microsoft.public.windows.server.migration,microsoft.public.windows.server.security (More info?)

Apologies that should be 10TB of data.... If it was only 10GB I would
hardly be worried :) )

"RobT" wrote:

> Apologies for the X-post but I was unsure were this should live.
>
> I have about 10GB of data that now lives in a native Server 2003 domain.
> All this data (due to the way the domain was migrated) is still ACL'd with
> the groups from the legacy NT4 domain that it was migrated from. Access for
> the users to the data is via sid history.
>
> The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end of
> the year. Before then I would like to re-ACL the data with the correct AD
> groups which also contain the users accounts due to group sync scripts).
>
> How is the best way to do this? All the command line and scripting
> interfaces I have looked at do not determine if the group is AD or NT4.
> Becuase of sid history they all resolve the group names with the AD groups
> rather than the NT4 ones they actually are, so are not useful for me here.
>
> Is there some software or script/api I can use the walk to DACL and
> everytime it sees an 'explicit' ACE reference the old domain SID it will
> either update the sid, or even better add the AD group and remove the NT4 one?
>
> I assume I am not the only person who has run into this issue, so surely
> there must be something out there? I have looked at the SIDwalker tool set
> but it is not appropriate, requires to much manual intervention and will no
> way scale to the size I need it two.
>
> Any help appreciated, as december 31 is fast approaching :) 
>
> Much thanks,
> RobT
Anonymous
October 14, 2004 9:56:22 PM

Archived from groups: microsoft.public.win2000.file_system,microsoft.public.windows.server.scripting,microsoft.public.windows.server.migration,microsoft.public.windows.server.security (More info?)

Yes, I was sort of wondering when you said at the end
"would not scale" but only 10G.

As your script walks the storage, examining DACLs,
you can, for each group use WMI group obj to get the
SID. I assume it would not be too hard to scrape the
groups/sids from the NT4 (I do this and gen a sub that
loads a dictionary object that can just be pasted into
what runs on the trusting domain).

Your issue however will likely not be finding the
legacy group grants, but determining which originate
an inheritance. It depends on how the storage has been
touched/migrated. If the storage was originally in NT4,
even if the NT4 underwent upgrade to W2k, what I have
found is that the header bits to indicate inherited are not
reliable.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"RobT" <r_tesoriero@hotmail.com.(donotspam)> wrote in message
news:04CA4014-5DA3-4C04-A251-C24FCD98CC63@microsoft.com...
> Apologies that should be 10TB of data.... If it was only 10GB I would
> hardly be worried :) )
>
> "RobT" wrote:
>
> > Apologies for the X-post but I was unsure were this should live.
> >
> > I have about 10GB of data that now lives in a native Server 2003 domain.
> > All this data (due to the way the domain was migrated) is still ACL'd
with
> > the groups from the legacy NT4 domain that it was migrated from. Access
for
> > the users to the data is via sid history.
> >
> > The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end
of
> > the year. Before then I would like to re-ACL the data with the correct
AD
> > groups which also contain the users accounts due to group sync
scripts).
> >
> > How is the best way to do this? All the command line and scripting
> > interfaces I have looked at do not determine if the group is AD or NT4.
> > Becuase of sid history they all resolve the group names with the AD
groups
> > rather than the NT4 ones they actually are, so are not useful for me
here.
> >
> > Is there some software or script/api I can use the walk to DACL and
> > everytime it sees an 'explicit' ACE reference the old domain SID it will
> > either update the sid, or even better add the AD group and remove the
NT4 one?
> >
> > I assume I am not the only person who has run into this issue, so surely
> > there must be something out there? I have looked at the SIDwalker tool
set
> > but it is not appropriate, requires to much manual intervention and will
no
> > way scale to the size I need it two.
> >
> > Any help appreciated, as december 31 is fast approaching :) 
> >
> > Much thanks,
> > RobT
Related resources
Anonymous
October 16, 2004 3:26:58 PM

Archived from groups: microsoft.public.win2000.file_system,microsoft.public.windows.server.scripting,microsoft.public.windows.server.migration,microsoft.public.windows.server.security (More info?)

Have you looked at subinacl?



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



RobT wrote:
> Apologies for the X-post but I was unsure were this should live.
>
> I have about 10GB of data that now lives in a native Server 2003 domain.
> All this data (due to the way the domain was migrated) is still ACL'd with
> the groups from the legacy NT4 domain that it was migrated from. Access for
> the users to the data is via sid history.
>
> The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end of
> the year. Before then I would like to re-ACL the data with the correct AD
> groups which also contain the users accounts due to group sync scripts).
>
> How is the best way to do this? All the command line and scripting
> interfaces I have looked at do not determine if the group is AD or NT4.
> Becuase of sid history they all resolve the group names with the AD groups
> rather than the NT4 ones they actually are, so are not useful for me here.
>
> Is there some software or script/api I can use the walk to DACL and
> everytime it sees an 'explicit' ACE reference the old domain SID it will
> either update the sid, or even better add the AD group and remove the NT4 one?
>
> I assume I am not the only person who has run into this issue, so surely
> there must be something out there? I have looked at the SIDwalker tool set
> but it is not appropriate, requires to much manual intervention and will no
> way scale to the size I need it two.
>
> Any help appreciated, as december 31 is fast approaching :) 
>
> Much thanks,
> RobT
Anonymous
October 18, 2004 11:29:20 AM

Archived from groups: microsoft.public.win2000.file_system,microsoft.public.windows.server.scripting,microsoft.public.windows.server.migration,microsoft.public.windows.server.security (More info?)

Rob have a look at Security Explorer by Scriptlogic...
http://www.scriptlogic.com/eng/products/securityexplore...

This software will re-ACL the entire data tree swapping old SID for
new.

You'll almost certainly have to break the job down, as in my
experience it takes an hour 'per million files' to perform this sort
of operation. Never had a problem with it though, and the GUI is both
intuitive and powerful.

Regards, Neil



"RobT" <r_tesoriero@hotmail.com.(donotspam)> wrote in message news:<6CA38705-4CC8-4E97-9527-EA4851FCEFCC@microsoft.com>...
> Apologies for the X-post but I was unsure were this should live.
>
> I have about 10GB of data that now lives in a native Server 2003 domain.
> All this data (due to the way the domain was migrated) is still ACL'd with
> the groups from the legacy NT4 domain that it was migrated from. Access for
> the users to the data is via sid history.
>
> The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end of
> the year. Before then I would like to re-ACL the data with the correct AD
> groups which also contain the users accounts due to group sync scripts).
>
> How is the best way to do this? All the command line and scripting
> interfaces I have looked at do not determine if the group is AD or NT4.
> Becuase of sid history they all resolve the group names with the AD groups
> rather than the NT4 ones they actually are, so are not useful for me here.
>
> Is there some software or script/api I can use the walk to DACL and
> everytime it sees an 'explicit' ACE reference the old domain SID it will
> either update the sid, or even better add the AD group and remove the NT4 one?
>
> I assume I am not the only person who has run into this issue, so surely
> there must be something out there? I have looked at the SIDwalker tool set
> but it is not appropriate, requires to much manual intervention and will no
> way scale to the size I need it two.
>
> Any help appreciated, as december 31 is fast approaching :) 
>
> Much thanks,
> RobT
Anonymous
October 20, 2004 5:20:13 AM

Archived from groups: microsoft.public.win2000.file_system (More info?)

Another solution is the Aelita Domain Migration
http://wm.quest.com/products/domainmigrationwizard/
Regards,
Pascal

"Neil Burton" <neil18_uk@yahoo.co.uk> wrote in message
news:87b804be.0410180629.1acfe9d@posting.google.com...
> Rob have a look at Security Explorer by Scriptlogic...
> http://www.scriptlogic.com/eng/products/securityexplore...
>
> This software will re-ACL the entire data tree swapping old SID for
> new.
>
> You'll almost certainly have to break the job down, as in my
> experience it takes an hour 'per million files' to perform this sort
> of operation. Never had a problem with it though, and the GUI is both
> intuitive and powerful.
>
> Regards, Neil
>
>
>
> "RobT" <r_tesoriero@hotmail.com.(donotspam)> wrote in message
> news:<6CA38705-4CC8-4E97-9527-EA4851FCEFCC@microsoft.com>...
>> Apologies for the X-post but I was unsure were this should live.
>>
>> I have about 10GB of data that now lives in a native Server 2003 domain.
>> All this data (due to the way the domain was migrated) is still ACL'd
>> with
>> the groups from the legacy NT4 domain that it was migrated from. Access
>> for
>> the users to the data is via sid history.
>>
>> The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end
>> of
>> the year. Before then I would like to re-ACL the data with the correct
>> AD
>> groups which also contain the users accounts due to group sync scripts).
>>
>> How is the best way to do this? All the command line and scripting
>> interfaces I have looked at do not determine if the group is AD or NT4.
>> Becuase of sid history they all resolve the group names with the AD
>> groups
>> rather than the NT4 ones they actually are, so are not useful for me
>> here.
>>
>> Is there some software or script/api I can use the walk to DACL and
>> everytime it sees an 'explicit' ACE reference the old domain SID it will
>> either update the sid, or even better add the AD group and remove the NT4
>> one?
>>
>> I assume I am not the only person who has run into this issue, so surely
>> there must be something out there? I have looked at the SIDwalker tool
>> set
>> but it is not appropriate, requires to much manual intervention and will
>> no
>> way scale to the size I need it two.
>>
>> Any help appreciated, as december 31 is fast approaching :) 
>>
>> Much thanks,
>> RobT
Anonymous
October 20, 2004 6:02:21 AM

Archived from groups: microsoft.public.win2000.file_system,microsoft.public.windows.server.scripting,microsoft.public.windows.server.migration,microsoft.public.windows.server.security (More info?)

Yes, that was my first port of call.

I does not seem to work on data that is ACL'd with groups that have sid
history attached. It just skips over saying it has nothing to do. It does
not seem to recognise that the groups are from the old domain. I have proved
this by using a group that was not migrated with sid history (domain admins)
and it seems to work on for data ACL'd with this group.

Does this seem right?

"Joe Richards [MVP]" wrote:

> Have you looked at subinacl?
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> RobT wrote:
> > Apologies for the X-post but I was unsure were this should live.
> >
> > I have about 10GB of data that now lives in a native Server 2003 domain.
> > All this data (due to the way the domain was migrated) is still ACL'd with
> > the groups from the legacy NT4 domain that it was migrated from. Access for
> > the users to the data is via sid history.
> >
> > The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end of
> > the year. Before then I would like to re-ACL the data with the correct AD
> > groups which also contain the users accounts due to group sync scripts).
> >
> > How is the best way to do this? All the command line and scripting
> > interfaces I have looked at do not determine if the group is AD or NT4.
> > Becuase of sid history they all resolve the group names with the AD groups
> > rather than the NT4 ones they actually are, so are not useful for me here.
> >
> > Is there some software or script/api I can use the walk to DACL and
> > everytime it sees an 'explicit' ACE reference the old domain SID it will
> > either update the sid, or even better add the AD group and remove the NT4 one?
> >
> > I assume I am not the only person who has run into this issue, so surely
> > there must be something out there? I have looked at the SIDwalker tool set
> > but it is not appropriate, requires to much manual intervention and will no
> > way scale to the size I need it two.
> >
> > Any help appreciated, as december 31 is fast approaching :) 
> >
> > Much thanks,
> > RobT
>
Anonymous
October 24, 2004 7:55:14 PM

Archived from groups: microsoft.public.windows.server.security,microsoft.public.win2000.file_system,microsoft.public.windows.server.scripting,microsoft.public.windows.server.migration (More info?)

"RobT" <r_tesoriero@hotmail.com.(donotspam)> wrote in message
news:r_tesoriero@hotmail.com.(donotspam):
> I assume I am not the only person who has run into this issue, so surely
> there must be something out there? I have looked at the SIDwalker tool
> set
> but it is not appropriate, requires to much manual intervention and will
> no
> way scale to the size I need it two.
>

Hello RobT,

I think the SIDwalker-Tool will better scale than any script you write.
AFAIR the only thing which really needs to be done manually is the
mapping file of old account vs. New account, and you'll have to do that
anyways. You'd be able to reuse the same mapping file on every
fileserver, it just contains lines like "if SID1 exist please
delete/add/replace by SID2", so create a file with all existing SIDs
and mapping and apply that file to all filers in your environment. I'm
sure that's much faster than any approach you can script yourself.

You might be able to save a lot of time with the mapping file - you can
script the editing of that file if you have any scriptable relations
between the old and the new account. But even Excel might be able to
help you here.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
!