Re: Help removing unresolved SIDs from NTFS permissions...
- From: Cappy <cappy_p@xxxxxxxx>
- Date: 27 Apr 2007 05:38:56 -0700
On Apr 26, 5:54 pm, SMFX <S...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Robocopy /COPYALL should maintain the permissions from one system to the next
if you're using Domain groups/users or Built-in groups. If you're using
Local groups or Local accounts, it won't work right.
However, recently Microsoft released a new version in the CACLS/XCACLS line
called "iCACLS" released with Windows 2003 SP2. With iCACLS there is the
option of /remove:{g|d} {SID} to remove any permissions granted or denied to
a specific SID.
Also, there is the option to dump all the permissions to a text file that
you can then reapply later. The "/save" option generates lines in a text
file like:
temp
D:(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;ID;FA;;;S-1-5-21-yoursid-goes-here-aRID)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)
You can then use this file, the "/restore" option with the "/substitute"
parameter to replace the SID's with the correct one.
-SMFX
Thanks for the info. This does involve only domain groups and users,
no local acct SIDs. But we aren't needing to replace SIDs. We are
needing to remove all that are not resolved to names.
The data that we are moving is all shared directories. Users have
left the company and their SID remains in the NTFS permissions. So
essentially, we are needing to clean up NTFS and then move all the
data, maintaining the permissions structure.
It would be better if we got an error than changing the permissions to
everyone/full. That could prove to be disasterous. grin
I'll keep digging...
Cappy
.
- Prev by Date: Re: Password Synchronization with Solaris 10
- Next by Date: Problem Mirroring Drives
- Previous by thread: RE: Multiple Event ID 529
- Next by thread: Problem Mirroring Drives
- Index(es):
Relevant Pages
|
