Re: Replacing domain SID on ACE's in DACL
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 10/15/04
- Next message: Rebecca Chen [MSFT]: "RE: Upgrading from evaluation copy to licensed copy"
- Previous message: jv: "nt4 in place upgrade to windows 2003 ad"
- In reply to: RobT: "RE: Replacing domain SID on ACE's in DACL"
- Next in thread: Joe Richards [MVP]: "Re: Replacing domain SID on ACE's in DACL"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 14 Oct 2004 17:56:22 -0700
Yes, I was sort of wondering when you said at the end
"would not scale" but only 10G.
As your script walks the storage, examining DACLs,
you can, for each group use WMI group obj to get the
SID. I assume it would not be too hard to scrape the
groups/sids from the NT4 (I do this and gen a sub that
loads a dictionary object that can just be pasted into
what runs on the trusting domain).
Your issue however will likely not be finding the
legacy group grants, but determining which originate
an inheritance. It depends on how the storage has been
touched/migrated. If the storage was originally in NT4,
even if the NT4 underwent upgrade to W2k, what I have
found is that the header bits to indicate inherited are not
reliable.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "RobT" <r_tesoriero@hotmail.com.(donotspam)> wrote in message news:04CA4014-5DA3-4C04-A251-C24FCD98CC63@microsoft.com... > Apologies that should be 10TB of data.... If it was only 10GB I would > hardly be worried :)) > > "RobT" wrote: > > > Apologies for the X-post but I was unsure were this should live. > > > > I have about 10GB of data that now lives in a native Server 2003 domain. > > All this data (due to the way the domain was migrated) is still ACL'd with > > the groups from the legacy NT4 domain that it was migrated from. Access for > > the users to the data is via sid history. > > > > The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end of > > the year. Before then I would like to re-ACL the data with the correct AD > > groups which also contain the users accounts due to group sync scripts). > > > > How is the best way to do this? All the command line and scripting > > interfaces I have looked at do not determine if the group is AD or NT4. > > Becuase of sid history they all resolve the group names with the AD groups > > rather than the NT4 ones they actually are, so are not useful for me here. > > > > Is there some software or script/api I can use the walk to DACL and > > everytime it sees an 'explicit' ACE reference the old domain SID it will > > either update the sid, or even better add the AD group and remove the NT4 one? > > > > I assume I am not the only person who has run into this issue, so surely > > there must be something out there? I have looked at the SIDwalker tool set > > but it is not appropriate, requires to much manual intervention and will no > > way scale to the size I need it two. > > > > Any help appreciated, as december 31 is fast approaching :) > > > > Much thanks, > > RobT
- Next message: Rebecca Chen [MSFT]: "RE: Upgrading from evaluation copy to licensed copy"
- Previous message: jv: "nt4 in place upgrade to windows 2003 ad"
- In reply to: RobT: "RE: Replacing domain SID on ACE's in DACL"
- Next in thread: Joe Richards [MVP]: "Re: Replacing domain SID on ACE's in DACL"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
