Windows 2003 IIS FTP Server Migration w/ User Accounts

There is no "easy" solution to this problem - ACLs for local accounts are lost when moved to a new server because the SID associated with that user doesn't map to a valid user account any longer.

There is a way to do it though without having to wipe out your system. I'm going to walk through what I think is the easiest way, using Powershell (with WMI), icacls and some text editing.

1. Create all of the new users on the new server

2. On both the old server and the new server, get a listing of all the username to SID mappings. To do this, open up Powershell and run the command (on each server):

   get-wmiobject win32_useraccount | where { $_.localaccount } | export-csv serverusers.csv

3. You've got some manual work to do now - you need to take both of the spreadsheets and map the SIDS from the old server users to the new ones. Create this in a new CSV (c:\sids.csv) with a format this is something like: oldusername,newusername,oldsid,newsid

4. On the old server, save the ACLs for the files you care about using icacls. For example, if your files are in a folder called c:\ftproot\ you would go into that folder and do:

   icacls * /save c:\acls.bak /T

5. Now you need to do a search and replace on the acls.bak file - for every row in your CSV, find all instances of oldsid and replace it with newsid. Here is a powershell script to do that:

   $file = get-content C:\acls.bak -encoding unicode
   $csv = import-csv c:\sids.csv
   foreach ($row in $csv) {
   $file = $file -replace $row.oldsid,$row.newsid
   }
   set-content c:\acls2.bak $file -encoding unicode

6. Copy all of the files to the new server

7. Restore the ACLs on the files in the new server (again, assuming this is under c:\ftproot):

   icacls . /restore c:\acls2.bak /T

And that should do it - the files should now have the permissions set using the new local user accounts.