RE: Preserving permissions in a cross-forest move

Hello,

Good to hear from you.

According to the message, I understand that you find the FSMT doesn't
migrate the permissions of the shared folders in a cross-domain scenario.
Is this correct?

Based on your description, I noticed that you manually created new AD
accounts in the new environment that matched the names of the accounts in
the old environment. Please understand that even the user accounts in the
two domains have the same name, they actually have two different security
identifiers (SIDs). Permissions are based on SIDs.

In addition, I would like to confirm the settings you choose in the File
Server Migration Wizard.

1. If you do not choose to copy security settings from the source to the
target files and folders, the wizard applies permissions to the target
files, folders, and shared folders by granting Full Control permission to
the local Administrators group of the target file server.

2. If you select the Copy security settings option, the File Server
Migration Wizard copies all security settings for files, folders, and
shared folders, including NTFS file system permissions, auditing,
ownership, and shared folder permissions.

3. If you select Copy security settings option, and also select the Resolve
invalid security descriptors option, the wizard cleans up security
descriptors whose security identifiers (SIDs) cannot be resolved on the
target file server.

I suspect that this is the exact scenario on your side. Since the original
SIDs are not recognized in the new domain, they are removed. Then the only
permissions you see after file migration are the Administrator.

At this time, I would like to suggest that we use a tool called SubInACL to
replace the original SIDs of the files.

SubInACL is a command-line tool that enables administrators to obtain
security information about files, registry keys, and services, and transfer
this information from user to user, from local or global group to group,
and from domain to domain.

More details can be found from the link below:

SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-
93cf-ed6985e3927b&DisplayLang=en

As to subinacl, we can use it in this way. You may have a test first.
1. Old domain is win2k called 2kdom
2. New domain in win2k3 called 2k3dom
3. Two way trust between 2kdom and 2k3dom.
4. We have a user called 2kdom\User1 and 2k3dom\User1.
5. A shared file is c:\test on a file server XPTest.
2kdom\User1 can access c:\test. 2k3dom\User1 cannot access it.

Now we want to replace 2kdom\User1 by using 2k3dom\User1. Please use the
following command to change the ACL for NTFS permission:
subinacl /file \\XPTest\test /replace=2kdom\User1=2k3dom\User1

Change the share permission for c:\test, you need to use:
subinacl /share \\XPTest\test /replace=2kdom\User1=2k3dom\User1


The file migration steps are as follows:

1. Check that the two-way trusts exist between the win2k and win2k3 domain.

2. Run FSMT again, this time please select Copy security settings option,
and deselect Resolve invalid security descriptors option.

3. Check that the security settings exist after file migration.

4. Use SubInACL to replace SIDs.


Hope this helps. If you have further concerns, please get in touch!

Best regards,

Frances He

Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page: http://support.microsoft.com/common/international.aspx.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • RE: Shared Folders and Permissions problem
    ... Administrators NTFS permissions are set to Full. ... these programs fine in other Shared folders (and don't get the "File ... > Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Permissions on filesystem via Group policy
    ... can use the Resultant Set of Policy mmc snapin to see exactly what Group ... you want to disable "inherited permissions" in the advanced page if you only ... > Right-click File System and press Add File. ... Use the security settings of that GPO to specify ...
    (microsoft.public.windows.group_policy)
  • Re: ubuntu xp vmware cluster f...er...filesharing
    ... VMware shared folders do not preserve user ID and permissions of the ...
    (Ubuntu)
  • Re: Unable to network 2 Vista machines using machine names
    ... If you use 3rd party Firewall On, Vista/XP Native Firewall should be Off, and the active Firewall has to adjusted to your Network IP numbers on what is some time called the Trusted Zone (consult your 3rd Party Firewall instructions. ... and sure enough the shared folders were now visible. ... I would need to change the permissions on ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: Default User Serurity Permission
    ... you will need to adjust a few permissions ... > installation default security settings: ... >>Restore XP to installation Security Defaults ... the first thing to try is to grant the ...
    (microsoft.public.windowsxp.security_admin)