Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Preserving permissions in a cross-forest move

369 views
Skip to first unread message

rlo...@cg.state.sc.us

unread,
Jun 27, 2005, 10:16:12 AM6/27/05
to
I am trying to move file server data from our current W2K mixed-mode
environment to a completely new forest/domain running Windows 2003. I
have setup domain trusts and tried using the latest version of the
Microsoft File Server Migration Toolkit to copy the data. Although the
data copies successfully, the permissions don't seem to carry over.
When I look at the security of some folders after the copy, the only
permissions it has are the Administrator. Before I ran the copy, I
manually created new AD accounts in the new environment that matched
the names of the accounts in the old environment. Is there some way I
can do this cross-forest copy and still maintain my permissions even
though the users on the target server are members of a different domain?

Frances [MSFT]

unread,
Jun 28, 2005, 2:56:52 AM6/28/05
to
Hello,

Good to hear from you.

According to the message, I understand that you find the FSMT doesn't
migrate the permissions of the shared folders in a cross-domain scenario.
Is this correct?

Based on your description, I noticed that you manually created new AD

accounts in the new environment that matched the names of the accounts in

the old environment. Please understand that even the user accounts in the
two domains have the same name, they actually have two different security
identifiers (SIDs). Permissions are based on SIDs.

In addition, I would like to confirm the settings you choose in the File
Server Migration Wizard.

1. If you do not choose to copy security settings from the source to the
target files and folders, the wizard applies permissions to the target
files, folders, and shared folders by granting Full Control permission to
the local Administrators group of the target file server.

2. If you select the Copy security settings option, the File Server
Migration Wizard copies all security settings for files, folders, and
shared folders, including NTFS file system permissions, auditing,
ownership, and shared folder permissions.

3. If you select Copy security settings option, and also select the Resolve
invalid security descriptors option, the wizard cleans up security
descriptors whose security identifiers (SIDs) cannot be resolved on the
target file server.

I suspect that this is the exact scenario on your side. Since the original
SIDs are not recognized in the new domain, they are removed. Then the only
permissions you see after file migration are the Administrator.

At this time, I would like to suggest that we use a tool called SubInACL to
replace the original SIDs of the files.

SubInACL is a command-line tool that enables administrators to obtain
security information about files, registry keys, and services, and transfer
this information from user to user, from local or global group to group,
and from domain to domain.

More details can be found from the link below:

SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-
93cf-ed6985e3927b&DisplayLang=en

As to subinacl, we can use it in this way. You may have a test first.
1. Old domain is win2k called 2kdom
2. New domain in win2k3 called 2k3dom
3. Two way trust between 2kdom and 2k3dom.
4. We have a user called 2kdom\User1 and 2k3dom\User1.
5. A shared file is c:\test on a file server XPTest.
2kdom\User1 can access c:\test. 2k3dom\User1 cannot access it.

Now we want to replace 2kdom\User1 by using 2k3dom\User1. Please use the
following command to change the ACL for NTFS permission:
subinacl /file \\XPTest\test /replace=2kdom\User1=2k3dom\User1

Change the share permission for c:\test, you need to use:
subinacl /share \\XPTest\test /replace=2kdom\User1=2k3dom\User1

The file migration steps are as follows:

1. Check that the two-way trusts exist between the win2k and win2k3 domain.

2. Run FSMT again, this time please select Copy security settings option,
and deselect Resolve invalid security descriptors option.

3. Check that the security settings exist after file migration.

4. Use SubInACL to replace SIDs.


Hope this helps. If you have further concerns, please get in touch!

Best regards,

Frances He

Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page: http://support.microsoft.com/common/international.aspx.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Robert

unread,
Jun 29, 2005, 8:10:04 AM6/29/05
to
Frances,

Thanks very much for the helpful reply. What you are saying makes
sense and should help me quite a bit.

Robert

Frances [MSFT]

unread,
Jun 29, 2005, 8:32:12 AM6/29/05
to
Hello Robert,

You are welcome. I am happy that my work helps.

If you have further concern, please let me know.

0 new messages