Windows Server 2012 – Migrate File Server Without Trust

file-permissionsnetwork-sharewindows-server-2012

We are about to migrate our file server (Windows Server 2012) from its current domain to a new domain.

Due to issues outside my control, there will be no domain trusts or even DNS forwarders from the new domain back to the old domain. So, I need a way to replace the ACLs with the groups and user names from the new domain. Group names will be the same, but username structure has changed, so there will be a mapping file involved.

I found SetACL while I was searching, but I can't tell from my initial reading if it needs to have access to both domains. If it needs that, then I'm out of luck. I'm really hoping to avoid manually rebuilding permissions on our entire file server, so hopefully somebody has a good solution.

Best Answer

I ended up trying everything I could think of and never got SetACL to work. By using a mapping file with the old SIDs mapped to the accounts in the new domain I was able to get it to run through with no errors. It actually said it was applying the ACLs. But it never actually changed any permissions. Had the same results when doing it manually one at a time. I'm assuming this is because it can't reach out to the old domain, so it just skips along to the next one. In the end, I went back to the old domain and used a PS script to export the current permissions. Then did a quick edit to that CSV to change the accounts listed to the new ones, then went back to the new domain and ran a different PS script to import and apply the permissions.

Scrips I used came from here. And since I was moving the data instead of copying it over, I didn't have the issue in the linked solution regarding inherited permissions. Came out flawless.

Here is the script that was asked for. One change I made, I was redoing the folder structure (say moving from N:\share over to Z:\public) so in between the two scripts I just edited the CSV to reference the new location.

ExportPermissions.ps1

$sourceFolder = "E:\sourceFolder"
$exportFile = "C:\outputCSV.csv"

Get-ChildItem $sourceFolder -Recurse | ?{ $_.PsIsContainer } | %{
  $Path = $_.FullName
  # Exclude inherited rights from the report
  (Get-Acl $Path).Access | ?{ !$_.IsInherited } | Select-Object `
    @{n='Path';e={ $Path }}, IdentityReference, AccessControlType, `
    InheritanceFlags, PropagationFlags, FileSystemRights
} | Export-CSV $exportFile

importpermissions.ps1

$par = Import-Csv -Path "c:\outputCSV.csv"

foreach ( $i in $par ) { 
  $path= $i.Path
  $IdentityReference= $i.IdentityReference
  $AccessControlType=$i.AccessControlType
  $InheritanceFlags= $i.InheritanceFlags
  $PropagationFlags=$i.PropagationFlags
  $FileSystemRights=$i.FileSystemRights
  echo $path $IdentityReference
  $acl = Get-Acl $path
  $permission = $IdentityReference, $FileSystemRights, $InheritanceFlags, 
  $PropagationFlags, $AccessControlType
  $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessRule)
  #$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($IdentityReference, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType)
  #$objACL.AddAccessRule($objACE)
  $acl | Set-Acl $path
}
Related Topic