Re: Delete ACLs for a whole domain
- From: Rick Dang <rickdang@xxxxxxxx>
- Date: Tue, 01 Nov 2005 19:04:40 +0100
Hi, I solved using the command SETACL (http://setacl.sourceforge.net/).
Rick
Rick Dang ha scritto:
Hi Herb,
thanks for answering. Let me explain in a better way: this is a sample output obtained by typing CACLS C:\temp:
BUILTIN\Administrators:F OLDDOMAIN\User1:F OLDDOMAIN\User2:C OLDDOMAIN\Group1:R NEWDOMAIN\User1:C NEWDOMAIN\User5:R NEWDOMAIN\Group3:F NEWDOMAIN\Group4:C Everyone:R
By deleting all ACL entries belonging to OLDDOMAIN, the new ACL should be that one:
BUILTIN\Administrators:F NEWDOMAIN\User1:C NEWDOMAIN\User5:R NEWDOMAIN\Group3:F NEWDOMAIN\Group4:C Everyone:R
If you consider a whole filesystem, with a big number of folders and subfolders with specific ACLs, I need a command to remove all the OLDDOMAIN entries.
I could make a list of all OLDDOMAIN users and groups, and write a script like that:
CACLS c:\ /t /e /r OLDDOMAIN\User1 CACLS c:\ /t /e /r OLDDOMAIN\User2 CACLS c:\ /t /e /r OLDDOMAIN\User3 CACLS c:\ /t /e /r OLDDOMAIN\Group1 CACLS c:\ /t /e /r OLDDOMAIN\Group2 CACLS c:\ /t /e /r OLDDOMAIN\Group3
I wonder if there is a simple way to reach the point with a single command involving the domain, and not just users and groups, that means I'd need a script as long as the whole number of AD objects I have to remove (about 400 between users and groups!!!).
Note that I do not have to migrate ACLs from OLDDOMAIN to NEWDOMAIN, as setinacl.exe can do. It doesn't seem that setacl.exe can help me either...
Thanks again, Rick
Herb Martin ha scritto:
"Rick Dang" <rickdang@xxxxxxxx> wrote in message news:eDbdJgrxFHA.628@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
some servers moved from OLDDOMAIN to NEWDOMAIN, that have bidirectional trust relationships. Their filesystems now have ACLs done by users and groups from both domains.
How can I delete all the OLDDOMAIN ACLs references from the filesystems' objects?
With CACLS I could remove OLDDOMAIN's groups and users one by one, but I cannot remove the whole OLDDOMAIN.
It's not clear exactly what you wish to do but perhaps SubInAcl.exe will help you. It is a standard tool (ResKit or MS Download) for massaging ACLs after a migration.
Other than that you would probably need to write a script and find each such before deleting or changing it.
SetAcl.exe (free from sourceforge.net) might also help but it has a command line that is very difficult to learn to use.
.
- Follow-Ups:
- Re: Delete ACLs for a whole domain
- From: Herb Martin
- Re: Delete ACLs for a whole domain
- Prev by Date: Re: Built 2nd DC - Is It Working
- Next by Date: Re: Disable using Games with the Group Policy
- Previous by thread: Re: Built 2nd DC - Is It Working
- Next by thread: Re: Delete ACLs for a whole domain
- Index(es):
Relevant Pages
|
Loading
