Re: Replacing domain SID on ACE's in DACL

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 10/16/04

  • Next message: Steven L Umbach: "Re: Local admin user rights on remote DC" 
    Date: Sat, 16 Oct 2004 11:26:58 -0400

    Have you looked at subinacl? 

    --
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
RobT wrote:
> Apologies for the X-post but I was unsure were this should live.
> 
> I have about 10GB of data that now lives in a native Server 2003 domain.  
> All this data (due to the way the domain was migrated) is still ACL'd with 
> the groups from the legacy NT4 domain that it was migrated from.  Access for 
> the users to the data is via sid history.
> 
> The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end of 
> the year.  Before then I would like to re-ACL the data with the correct AD 
> groups which  also contain the users accounts due to group sync scripts).
> 
> How is the best way to do this?  All the command line and scripting 
> interfaces I have looked at do not determine if the group is AD or NT4.  
> Becuase of sid history they all resolve the group names with the AD groups 
> rather than the NT4 ones they actually are, so are not useful for me here.
> 
> Is there some software or script/api  I can use the walk to DACL and 
> everytime it sees an 'explicit' ACE reference the old domain SID it will 
> either update the sid, or even better add the AD group and remove the NT4 one?
> 
> I assume I am not the only person who has run into this issue, so surely 
> there must be something out there?  I have looked at the SIDwalker tool set 
> but it is not appropriate, requires to much manual intervention and will no 
> way scale to the size I need it two.
> 
> Any help appreciated, as december 31 is fast approaching :)
> 
> Much thanks,
> RobT
  • Next message: Steven L Umbach: "Re: Local admin user rights on remote DC"

    Relevant Pages

    • Re: Replacing domain SID on ACEs in DACL
      ... Joe Richards Microsoft MVP Windows Server Directory Services ... RobT wrote:> Apologies for the X-post but I was unsure were this should live. ... Access for> the users to the data is via sid history. ... All the command line and scripting> interfaces I have looked at do not determine if the group is AD or NT4. ...
      (microsoft.public.win2000.file_system)
    • Re: Replacing domain SID on ACEs in DACL
      ... Joe Richards Microsoft MVP Windows Server Directory Services ... RobT wrote:> Apologies for the X-post but I was unsure were this should live. ... Access for> the users to the data is via sid history. ... All the command line and scripting> interfaces I have looked at do not determine if the group is AD or NT4. ...
      (microsoft.public.windows.server.scripting)
    • Re: Replacing domain SID on ACEs in DACL
      ... Joe Richards Microsoft MVP Windows Server Directory Services ... RobT wrote:> Apologies for the X-post but I was unsure were this should live. ... Access for> the users to the data is via sid history. ... All the command line and scripting> interfaces I have looked at do not determine if the group is AD or NT4. ...
      (microsoft.public.windows.server.migration)
    • RE: Replacing domain SID on ACEs in DACL
      ... "RobT" wrote: ... > the users to the data is via sid history. ... > groups which also contain the users accounts due to group sync scripts). ... > interfaces I have looked at do not determine if the group is AD or NT4. ...
      (microsoft.public.windows.server.scripting)
    • RE: Replacing domain SID on ACEs in DACL
      ... "RobT" wrote: ... > the users to the data is via sid history. ... > groups which also contain the users accounts due to group sync scripts). ... > interfaces I have looked at do not determine if the group is AD or NT4. ...
      (microsoft.public.windows.server.migration)