RE: Replacing domain SID on ACE's in DACL

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: RobT (r_tesoriero_at_hotmail.com.(donotspam))
Date: 10/14/04 

Date: Thu, 14 Oct 2004 07:05:03 -0700

Apologies that should be 10TB of data.... If it was only 10GB I would
hardly be worried :))

"RobT" wrote:

> Apologies for the X-post but I was unsure were this should live.
>
> I have about 10GB of data that now lives in a native Server 2003 domain.
> All this data (due to the way the domain was migrated) is still ACL'd with
> the groups from the legacy NT4 domain that it was migrated from. Access for
> the users to the data is via sid history.
>
> The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end of
> the year. Before then I would like to re-ACL the data with the correct AD
> groups which also contain the users accounts due to group sync scripts).
>
> How is the best way to do this? All the command line and scripting
> interfaces I have looked at do not determine if the group is AD or NT4.
> Becuase of sid history they all resolve the group names with the AD groups
> rather than the NT4 ones they actually are, so are not useful for me here.
>
> Is there some software or script/api I can use the walk to DACL and
> everytime it sees an 'explicit' ACE reference the old domain SID it will
> either update the sid, or even better add the AD group and remove the NT4 one?
>
> I assume I am not the only person who has run into this issue, so surely
> there must be something out there? I have looked at the SIDwalker tool set
> but it is not appropriate, requires to much manual intervention and will no
> way scale to the size I need it two.
>
> Any help appreciated, as december 31 is fast approaching :)
>
> Much thanks,
> RobT

Relevant Pages

  • RE: Replacing domain SID on ACEs in DACL
    ... "RobT" wrote: ... > the users to the data is via sid history. ... > groups which also contain the users accounts due to group sync scripts). ... > interfaces I have looked at do not determine if the group is AD or NT4. ...
    (microsoft.public.windows.server.security)
  • Re: Replacing domain SID on ACEs in DACL
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... RobT wrote:> Apologies for the X-post but I was unsure were this should live. ... Access for> the users to the data is via sid history. ... All the command line and scripting> interfaces I have looked at do not determine if the group is AD or NT4. ...
    (microsoft.public.win2000.file_system)
  • Re: Replacing domain SID on ACEs in DACL
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... RobT wrote:> Apologies for the X-post but I was unsure were this should live. ... Access for> the users to the data is via sid history. ... All the command line and scripting> interfaces I have looked at do not determine if the group is AD or NT4. ...
    (microsoft.public.windows.server.scripting)
  • Re: Replacing domain SID on ACEs in DACL
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... RobT wrote:> Apologies for the X-post but I was unsure were this should live. ... Access for> the users to the data is via sid history. ... All the command line and scripting> interfaces I have looked at do not determine if the group is AD or NT4. ...
    (microsoft.public.windows.server.migration)
  • Re: Replacing domain SID on ACEs in DACL
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... RobT wrote:> Apologies for the X-post but I was unsure were this should live. ... Access for> the users to the data is via sid history. ... All the command line and scripting> interfaces I have looked at do not determine if the group is AD or NT4. ...
    (microsoft.public.windows.server.security)