How to reACLing data after AD forest migration

During a AD forests consolidation, cloning resources groups make you able to preserve users access to shares on fileservers. This is possible due to SID history. But after migration ended, if you want to remove SID history, you need before reACLing NTFS ACL on fileservers (

Here you find a short step-by -step doc how to migrate fileservers and reACL data.

Tools needed:

Robocopy – builtin tool
Icacls – builtin tool
Setacl – external tool (
Dsquery – MS Admin Tools

1. Copy data from old fileserver to new one:

robocopy.exe "\\[Old fileserver]\[share]" "D:\IT_Data1\Departments" /COPYALL /SECFIX /E /ZB /LOG+:robo.log /NFL /NDL /MIR

Sometime is better to copy only data first and the dump restore only ACL. This is useful to correct some historical corruption:

robocopy.exe "\\[Old fileserver]\[share]" "D:\IT_Data1\Departments" /E /ZB /LOG+:robo.log /NFL /NDL /MIR
icacls "\\[Old fileserver]\[share]" /save ACL_Dep.txt /T
icacls "D:\IT_Data1\Depatments" /restore ACL_Dep.txt

2. Dump sid + sid history to a file for Cloned Resource Groups:
you need now a file that map old sid with new sid for all resources groups you are using on fileserver’s ACL (change the OU path with the correct one for your AD)

dsquery * "OU=Resource,OU=Groups,OU=Objects,DC=DOM2,DC=DOM1,DC=DOM0" -filter "(&(objectClass=Group)(sIDHistory=*))" -attr sIDHistory ObjectSID -limit 10000 > Sidmapping.txt

Check if –limit option is fine for you.

Edit sidmapping.txt
1. Remove first line
2. Replace “ “ (4 space) with “,”
3. Replace “ “ (2 space) with null
The results should be like this:

3. Special group replacement:
If you need to reorganize ACL like change Local Administrators Group with new-one you can do it with setacl tool.

For replace [Local]\Administrators group:

setacl -on D:\IT_Data1\Departments -ot file -actn trustee -trst n1:BUILTIN\Administrators;n2:DOM\RF-FileSystemAdmins-F;ta:repltrst -rec cont_obj

For replace Everyone group:

setacl -on D:\IT_Data1\Departments -ot file -actn trustee -trst n1:Everyone;n2:DOM\RF-Public-R;ta:repltrst -rec cont_obj

4. reACL cloned group:
Using sidmapping.txt file you can now reACL data on new fileserver:

setacl -on D:\IT_Data1\Departments -ot file -actn trustee -trst csv:sidmapping.txt;ta:repltrst -rec cont_obj

Using powershell you can check if the ACL was correctly renew. Run this command against some folders before and after to check if SID is changed.

Get-Acl "D:\IT_Data1\Departments\Sistemi" | format-list

5. Home’s ACL reset:
if the user id and home folder are the same you can use these scripts to rebuild ACL on user’s home.

Create UsersACLReset.cmd

for /f %%i in ('dir "D:\IT_Data1\Users" /b /ad') do @call Usersresetfolder.cmd %%i

Create UsersResetFolder.cmd

icacls D:\IT_Data1\Users\%1 /grant MASTDOM\%1:(OI)(CI)F

then copy home’s data and rebuild acl running UserACLReset.cmd batch:

robocopy.exe "\\[Old fileserver]\Users" "D:\IT_Data1\Test\Users" /E /ZB /LOG+:robo_mi.log /NFL /NDL /MIR



2 thoughts on “How to reACLing data after AD forest migration

  1. Tomas Jetelina says:


    All looks good until I trigger Set-Acl which wgives me just this, any idea?

    Set-Acl “D:\Common” -ot file -actn trustee -trst csv:sidmapping.txt;ta:repltrst -rec cont_obj

    Set-Acl : A parameter cannot be found that matches parameter name ‘ot’.
    At line:1 char:21
    + Set-Acl “D:\Common” -ot file -actn trustee -trst csv:sidmapping.txt;ta:repltrst …

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s