I'm trying to figure out the best way to migrate an FTP server from old hardware to new hardware. The server is on a domain, but not all the users setup on the server (to use FTP) are domain accounts, some are local to the server.
For example, I have users both ways:
domain\username machinename\username
The new machine name will be different.
So I need to copy all the files with permissions in tact from the old server to the new server. Then I need to convert all the user accounts from the old server to the new server. Then I need to change the file permissions so that they are no longer oldserver\username but newserver\username.
Can this be accomplished all with CALCS? Is there an easy way that perhaps I'm missing?
Best Answer
There is no "easy" solution to this problem - ACLs for local accounts are lost when moved to a new server because the SID associated with that user doesn't map to a valid user account any longer.
There is a way to do it though without having to wipe out your system. I'm going to walk through what I think is the easiest way, using Powershell (with WMI), icacls and some text editing.
On both the old server and the new server, get a listing of all the username to SID mappings. To do this, open up Powershell and run the command (on each server):
get-wmiobject win32_useraccount | where { $_.localaccount } | export-csv serverusers.csv
You've got some manual work to do now - you need to take both of the spreadsheets and map the SIDS from the old server users to the new ones. Create this in a new CSV (
c:\sids.csv
) with a format this is something like:oldusername,newusername,oldsid,newsid
On the old server, save the ACLs for the files you care about using icacls. For example, if your files are in a folder called
c:\ftproot\
you would go into that folder and do:icacls * /save c:\acls.bak /T
Now you need to do a search and replace on the acls.bak file - for every row in your CSV, find all instances of oldsid and replace it with newsid. Here is a powershell script to do that:
$file = get-content C:\acls.bak -encoding unicode
$csv = import-csv c:\sids.csv
foreach ($row in $csv) {
$file = $file -replace $row.oldsid,$row.newsid
}
set-content c:\acls2.bak $file -encoding unicode
Copy all of the files to the new server
Restore the ACLs on the files in the new server (again, assuming this is under c:\ftproot):
icacls . /restore c:\acls2.bak /T
And that should do it - the files should now have the permissions set using the new local user accounts.