Re: Replacing domain SID on ACE's in DACL
From: RobT (r_tesoriero_at_hotmail.com.(donotspam))
Date: 10/20/04
- Next message: cbrouns: "RE: How to disable drag-and-drop from Windows Explorer?"
- Previous message: fallahiazar: "RE: Enable file and folder sharing for the Users Group"
- In reply to: Joe Richards [MVP]: "Re: Replacing domain SID on ACE's in DACL"
- Next in thread: Neil Burton: "Re: Replacing domain SID on ACE's in DACL"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 20 Oct 2004 02:02:21 -0700
Yes, that was my first port of call.
I does not seem to work on data that is ACL'd with groups that have sid
history attached. It just skips over saying it has nothing to do. It does
not seem to recognise that the groups are from the old domain. I have proved
this by using a group that was not migrated with sid history (domain admins)
and it seems to work on for data ACL'd with this group.
Does this seem right?
"Joe Richards [MVP]" wrote:
> Have you looked at subinacl?
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> RobT wrote:
> > Apologies for the X-post but I was unsure were this should live.
> >
> > I have about 10GB of data that now lives in a native Server 2003 domain.
> > All this data (due to the way the domain was migrated) is still ACL'd with
> > the groups from the legacy NT4 domain that it was migrated from. Access for
> > the users to the data is via sid history.
> >
> > The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end of
> > the year. Before then I would like to re-ACL the data with the correct AD
> > groups which also contain the users accounts due to group sync scripts).
> >
> > How is the best way to do this? All the command line and scripting
> > interfaces I have looked at do not determine if the group is AD or NT4.
> > Becuase of sid history they all resolve the group names with the AD groups
> > rather than the NT4 ones they actually are, so are not useful for me here.
> >
> > Is there some software or script/api I can use the walk to DACL and
> > everytime it sees an 'explicit' ACE reference the old domain SID it will
> > either update the sid, or even better add the AD group and remove the NT4 one?
> >
> > I assume I am not the only person who has run into this issue, so surely
> > there must be something out there? I have looked at the SIDwalker tool set
> > but it is not appropriate, requires to much manual intervention and will no
> > way scale to the size I need it two.
> >
> > Any help appreciated, as december 31 is fast approaching :)
> >
> > Much thanks,
> > RobT
>
- Next message: cbrouns: "RE: How to disable drag-and-drop from Windows Explorer?"
- Previous message: fallahiazar: "RE: Enable file and folder sharing for the Users Group"
- In reply to: Joe Richards [MVP]: "Re: Replacing domain SID on ACE's in DACL"
- Next in thread: Neil Burton: "Re: Replacing domain SID on ACE's in DACL"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
