Re: Add or modify ACL on folder after using FSMT

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hello Jason!

Thank you for your suggestion. On the other hand, here was my plan and I
failed on it. Do you have any comment?

Let say I have a home directory called <User_a> in NT Domain (NT4).
Administrator and User_a have a Full access on it. Plus I added an account
from Win2k3 Domain Controller for this folder which has the permission (2
way Trust is existed). Therefore:

NT4\Administrator (Full)
NT4\User_a
Win2k3\User_a

Then, I used FSMT to migrate <User_a> to the Win2k3. Suppose the user,
User_a can have an access to this folder after user_a login the Win2k3.
However, User_a has no right (Access is denied) on it? Why? I also supposed
sid of "Win2k3\User_a" that I added in NT4 is the same as Win2k3. Isn't it?


Thanks Jason!!

B.regards,
Wilson

"Jason Tan (MSFT)" <v-jasont@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:1etNqBPiFHA.2516@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Wilson,
>
> Thanks for posting1
>
> Per you requirement, you may use Subinacl.exe tool to replace NT ACLs with
> 2k3 ACLs. For your information, you may use subinacl to replace the ACL.
> That is to say you may use subincal in replace mode. The command is as
> follows:
>
> Subinacl /subdirectories x:\directory\*.* /replace=oldsid=newsid
> OR
> subinacl /subdirectories x:\directory\*.* /replace= NTDOMAIN\FILEUSERS=
> W2K3DOMAIN\FILEUSERS
>
> SubInACL is a command-line tool that enables administrators to obtain
> security information about files, registry keys, and services, and
> transfer
> this information from user to user, from local or global group to group,
> and from domain to domain. For example, if a user has moved from one
> domain
> (DomainA) to another (DomainB), the administrator can replace DomainA\User
> with DomainB\User in the security information for the user's files. This
> gives the user access to the same files from the new domain.
>
> For additional information about the syntax and usage of the Subinacl.exe
> utility, type subinacl /help at the command line.
>
> Using the Command Line to Edit Multiple Subdirectory Permissions
> http://support.microsoft.com/default.aspx?scid=kb;en-us;265360
>
> Download details: SubInACL (SubInACL.exe)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-
> 93cf-ed6985e3927b&displaylang=en
>
> Hope the information helps. If there is anything that is unclear, please
> feel free to let me know.
>
> Thanks & Regards,
>
> Jason Tan
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
>
> --------------------
> | From: "Wilson Cheung" <wcwcheung@xxxxxxxxx>
> | Subject: Add or modify ACL on folder after using FSMT
> | Date: Fri, 15 Jul 2005 08:38:28 +0800
> | Lines: 18
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | X-RFC2646: Format=Flowed; Original
> | Message-ID: <uZDrHVNiFHA.576@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.migration
> | NNTP-Posting-Host: pcd661018.netvigator.com 218.102.193.18
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.migration:11259
> | X-Tomcat-NG: microsoft.public.windows.server.migration
> |
> | Hello,
> |
> | I knew FSMT does not mapped folders' and files' ACL permission to the
> new
> | domain in Win2k3 domain controller. For example, I have a NT domain NT4
> and
> | I have an user called User_a. That user's folder ACL stays the same as
> | User_a\NT4, but not User_a\Win2k3. Therefore User_a in Win2k3 domain
> cannot
> | access any folders after User_a login to the domain.
> |
> | I am looking for a tool or tools which can translate all folders' and
> files'
> | ACL permission from NT4 to Win2k3. Or tools (command-line) that I can
> add
> | them back manually in a script. Basically, there are around 500-800
> users
> in
> | our corporate. Therefore, It's so hard to do it on graphic user
> interface.
> |
> | On the other hand, I migrate all user account and by a script
> "csvde.exe",
> | therefore Security Translation Wizard in ADMT cannot make any help. Can
> some
> | help me to solve this problem? Thanks in a million!!
> |
> |
> |
>


.

Relevant Pages

  • RE: Add or modify ACL on folder after using FSMT
    ... you may use subinacl to replace the ACL. ... type subinacl /help at the command line. ... | access any folders after User_a login to the domain. ...
    (microsoft.public.windows.server.migration)
  • Re: Add or modify ACL on folder after using FSMT
    ... I created a folder User_a on the Windows NT DC with the following security: ... I suggest you check the ACL by Whoami.exe. ... current user's security context) in the command window. ...
    (microsoft.public.windows.server.migration)
  • RE: Locating corrupt driver
    ... This article describes the functionality and limitations of the Windows ... Create and format partitions on drives. ... MB of hard disk space on your system partition to hold the Cmdcons folder ... Windows NTBoot Console Command Interpreter. ...
    (microsoft.public.win2000.applications)
  • Re: Dim RetVal
    ... Looking in the folder there is a coed11.dat DAT file, the coed11 application, coed11.gdb GDB file ... The reason is that without the quotes, the command processor sees the ... In the command window, first type ... This *should* have exactly the same effect as the macro. ...
    (microsoft.public.word.vba.beginners)
  • Re: Batch Job
    ... You cannot use the 'del' command at a DOS prompt. ... files (since 'del' might not work into the special folder). ... while the above will delete the deleted files from the Recycle Bin but it also deletes configuration files used by the Recycle Bin. ...
    (microsoft.public.windowsxp.general)