We are in a colocated RackSpace facility in San Antonio, with an active directory named "SAT".
We are being moved to their Dallas/Ft. Worth facility, with an active directory named "DFW".
These machines are running Windows 2008 Server (some 32-bit, some 64-bit).
The machines have been cloned to the new facility using DoubleTake software, and are generally working fine. Upon moving the machines over, however, we have been forced to start logging in with new user accounts established in the DFW Active Directory.
I spent a long time getting our original servers working, in terms of file permissions across the servers, and am hoping someone can share some programmatic way, either with an existing piece of software, or even some custom .NET code, that we can "translate" all of these permissions.
For example, I'd like some way to specify the drives to update, the "BEFORE" username, e.g. SAT\User, and the "AFTER" username, e.g. "DFW\User", and let er rip… Any ideas?
Best Answer
I highly recommend the free open source tool, SetACL.
http://helgeklein.com/setacl/examples/managing-file-system-permissions-with-setacl-exe/#example-5-migrating-permissions-between-domains
I'm going to assume that SAT and DFW do not have any kind of trust, and SAT\USER1 probably has a vastly different SID than DFW\USER1. Permissions in NTFS are all stored by SID, not username. This can complicate things.
Learn the backup and restore commands first, and backup the permissions on all your servers to a safe place. You may need to come up with your own solution where you backup the existing permissions to an SDDL file, search and replace the domain names or SIDs, and then restore that in the new domain.