RE: File & folder migration problem in Security setting
- From: v-franhe@xxxxxxxxxxxxx (Frances [MSFT])
- Date: Mon, 11 Jul 2005 04:03:06 GMT
Hello Wilson,
Good to hear from you.
According to the message, I understand that you are using FSMT to migrate
files and folders. You find that the permissions are still belonging to the
previous domain name. Is this correct?
Please understand that FSMT only copies the settings from one server to
another, that is, the same ACL and Share permissions exist. It doesn't
replace the permission of ACLs in the NT domain with new ACLs in the win2k3
domain. So what you find is a normal behavior.
In addition, FSMT does not provide local group migration. You may take a
look at the white paper of FSMT. Pay extra attention to the part "File
Server Migration Wizard Overview".
Overview of the Microsoft File Server Migration Toolkit
http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfst_over
view.mspx
At this time, I would like to suggest that we use a tool called SubInACL to
replace the original SIDs of the files.
SubInACL is a command-line tool that enables administrators to obtain
security information about files, registry keys, and services, and transfer
this information from user to user, from local or global group to group,
and from domain to domain.
You may download this tool from the link below:
SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-
93cf-ed6985e3927b&DisplayLang=en
As to subinacl, we can use it in this way. You may have a test first.
1. Old domain is NT called NTdom
2. New domain in win2k3 called 2k3dom
3. Two way trust between NTdom and 2k3dom.
4. We have a user called NTdom\User1 and 2k3dom\User1.
5. A shared file is c:\test on a file server XPTest.
NTdom\User1 can access c:\test. 2k3dom\User1 cannot access it.
Now we want to replace NTdom\User1 by using 2k3dom\User1. Please use the
following command to change the ACL for NTFS permission:
subinacl /file \\XPTest\test /replace=NTdom\User1=2k3dom\User1
Change the share permission for c:\test, you need to use:
subinacl /share \\XPTest\test /replace=NTdom\User1=2k3dom\User1
You can use the syntax to replace the old domain with the new domain,
/changedomain and /migratetodomain domain parameter are recommended.
Please refer to the following article for more information.
SubInACL documentation
http://www.analogduck.com/main/subinacl
This response contains a reference to a third party World Wide Web site.
Microsoft is providing this information as a convenience to you. Microsoft
does not control these sites and has not tested any software or information
found on these sites; therefore, Microsoft cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There are inherent dangers in the use of any
software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from
the Internet.
The file migration steps are as follows:
1. Check that the two-way trusts exist between the win2k and win2k3 domain.
2. Run FSMT again, this time please select Copy security settings option,
and deselect Resolve invalid security descriptors option.
3. Check that the security settings exist after file migration.
4. Use SubInACL to replace SIDs.
Hope this helps. If you have further concerns, please get in touch!
Best regards,
Frances He
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.
This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/
If you are outside the United States, please visit our International
Support page: http://support.microsoft.com/common/international.aspx.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
============================================================================
===================
In an effort to secure NNTP access to partners only, the password will
change every 6 months when using Outlook Express or other NNTP client to
view the Microsoft Managed Newsgroups. The current password has been active
since July 1, 2005.
This does not impact the web-based newsreader at:
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
3938
The new password will be active from July 1, 2005 until January 3, 2006
(9:00 am PST).
Please visit and mark as a favorite the following link to obtain the new
password information as well as the instructions for configuring OE for
newsgroup access.
https://partner.microsoft.com/global/40012653. You will need to sign in to
the partner portal to access this page.
============================================================================
=====================
.
- References:
- File & folder migration problem in Security setting
- From: Wilson Cheung
- File & folder migration problem in Security setting
- Prev by Date: Re: Files migrate over different domain
- Next by Date: Re: Files migrate over different domain
- Previous by thread: File & folder migration problem in Security setting
- Next by thread: ADMTv2 Security Translation Wizard
- Index(es):
Relevant Pages
|
