During a AD forests consolidation, cloning resources groups make you able to preserve users access to shares on fileservers. This is possible due to SID history. But after migration ended, if you want to remove SID history, you need before reACLing NTFS ACL on fileservers (http://support.microsoft.com/kb/295758/en-us).
Here you find a short step-by -step doc how to migrate fileservers and reACL data.
Robocopy – builtin tool
Icacls – builtin tool
Setacl – external tool (http://helgeklein.com/setacl/)
Dsquery – MS Admin Tools
1. Copy data from old fileserver to new one:
robocopy.exe "\\[Old fileserver]\[share]" "D:\IT_Data1\Departments" /COPYALL /SECFIX /E /ZB /LOG+:robo.log /NFL /NDL /MIR
Sometime is better to copy only data first and the dump restore only ACL. This is useful to correct some historical corruption:
robocopy.exe "\\[Old fileserver]\[share]" "D:\IT_Data1\Departments" /E /ZB /LOG+:robo.log /NFL /NDL /MIR
icacls "\\[Old fileserver]\[share]" /save ACL_Dep.txt /T
icacls "D:\IT_Data1\Depatments" /restore ACL_Dep.txt
2. Dump sid + sid history to a file for Cloned Resource Groups:
you need now a file that map old sid with new sid for all resources groups you are using on fileserver’s ACL (change the OU path with the correct one for your AD)
dsquery * "OU=Resource,OU=Groups,OU=Objects,DC=DOM2,DC=DOM1,DC=DOM0" -filter "(&(objectClass=Group)(sIDHistory=*))" -attr sIDHistory ObjectSID -limit 10000 > Sidmapping.txt
Check if –limit option is fine for you.
1. Remove first line
2. Replace “ “ (4 space) with “,”
3. Replace “ “ (2 space) with null
The results should be like this:
3. Special group replacement:
If you need to reorganize ACL like change Local Administrators Group with new-one you can do it with setacl tool.
For replace [Local]\Administrators group:
setacl -on D:\IT_Data1\Departments -ot file -actn trustee -trst n1:BUILTIN\Administrators;n2:DOM\RF-FileSystemAdmins-F;ta:repltrst -rec cont_obj
For replace Everyone group:
setacl -on D:\IT_Data1\Departments -ot file -actn trustee -trst n1:Everyone;n2:DOM\RF-Public-R;ta:repltrst -rec cont_obj
4. reACL cloned group:
Using sidmapping.txt file you can now reACL data on new fileserver:
setacl -on D:\IT_Data1\Departments -ot file -actn trustee -trst csv:sidmapping.txt;ta:repltrst -rec cont_obj
Using powershell you can check if the ACL was correctly renew. Run this command against some folders before and after to check if SID is changed.
Get-Acl "D:\IT_Data1\Departments\Sistemi" | format-list
5. Home’s ACL reset:
if the user id and home folder are the same you can use these scripts to rebuild ACL on user’s home.
for /f %%i in ('dir "D:\IT_Data1\Users" /b /ad') do @call Usersresetfolder.cmd %%i
icacls D:\IT_Data1\Users\%1 /grant MASTDOM\%1:(OI)(CI)F
then copy home’s data and rebuild acl running UserACLReset.cmd batch:
robocopy.exe "\\[Old fileserver]\Users" "D:\IT_Data1\Test\Users" /E /ZB /LOG+:robo_mi.log /NFL /NDL /MIR