Re: Add or modify ACL on folder after using FSMT
- From: v-jasont@xxxxxxxxxxxxxxxxxxxx (Jason Tan (MSFT))
- Date: Mon, 18 Jul 2005 12:06:06 GMT
Hi Wilson,
Thanks for your detailed description.
Please excuse for my delay! The issue seems to be weird. Based on my test,
I created a folder User_a on the Windows NT DC with the following security:
NT4\Administrator (Full)
NT4\User_a
Win2k3\User_a
After the folder migration with FSMT, the Security of the folder User_a has
also been migrated successfully. That is to say, the security has been
preserved. According my research, please help me know if you can see the
above security items listed in the security of the folder User_a in place.
Has the Win2k3\User_a account been migrated from Windows NT domain or
created manually?
Additionally, I suggest you check the ACL by Whoami.exe. You may logon with
Win2k3\User_a.
WhoAmI displays the complete contents of the access token (for example, the
current user's security context) in the command window. It displays the
user name and security identifier (SID), the groups and their SIDs, the
privileges and their status (for example, enabled or disabled), and the
logon ID.
More information for your reference:
Whoami.exe
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/whoami-o
asp
Hope the information helps. If there is anything that is unclear, please
feel free to let me know.
Thanks & Regards,
Jason Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------
| From: "Wilson Cheung" <wcwcheung@xxxxxxxxx>
| References: <uZDrHVNiFHA.576@xxxxxxxxxxxxxxxxxxxx>
<1etNqBPiFHA.2516@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Add or modify ACL on folder after using FSMT
| Date: Fri, 15 Jul 2005 23:26:54 +0800
| Lines: 122
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| Message-ID: <u3xBfGViFHA.3936@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.migration
| NNTP-Posting-Host: n219078006203.netvigator.com 219.78.6.203
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:11268
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| Hello Jason!
|
| Thank you for your suggestion. On the other hand, here was my plan and I
| failed on it. Do you have any comment?
|
| Let say I have a home directory called <User_a> in NT Domain (NT4).
| Administrator and User_a have a Full access on it. Plus I added an
account
| from Win2k3 Domain Controller for this folder which has the permission (2
| way Trust is existed). Therefore:
|
| NT4\Administrator (Full)
| NT4\User_a
| Win2k3\User_a
|
| Then, I used FSMT to migrate <User_a> to the Win2k3. Suppose the user,
| User_a can have an access to this folder after user_a login the Win2k3.
| However, User_a has no right (Access is denied) on it? Why? I also
supposed
| sid of "Win2k3\User_a" that I added in NT4 is the same as Win2k3. Isn't
it?
|
|
| Thanks Jason!!
|
| B.regards,
| Wilson
|
| "Jason Tan (MSFT)" <v-jasont@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:1etNqBPiFHA.2516@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi Wilson,
| >
| > Thanks for posting1
| >
| > Per you requirement, you may use Subinacl.exe tool to replace NT ACLs
with
| > 2k3 ACLs. For your information, you may use subinacl to replace the ACL.
| > That is to say you may use subincal in replace mode. The command is as
| > follows:
| >
| > Subinacl /subdirectories x:\directory\*.* /replace=oldsid=newsid
| > OR
| > subinacl /subdirectories x:\directory\*.* /replace= NTDOMAIN\FILEUSERS=
| > W2K3DOMAIN\FILEUSERS
| >
| > SubInACL is a command-line tool that enables administrators to obtain
| > security information about files, registry keys, and services, and
| > transfer
| > this information from user to user, from local or global group to group,
| > and from domain to domain. For example, if a user has moved from one
| > domain
| > (DomainA) to another (DomainB), the administrator can replace
DomainA\User
| > with DomainB\User in the security information for the user's files. This
| > gives the user access to the same files from the new domain.
| >
| > For additional information about the syntax and usage of the
Subinacl.exe
| > utility, type subinacl /help at the command line.
| >
| > Using the Command Line to Edit Multiple Subdirectory Permissions
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;265360
| >
| > Download details: SubInACL (SubInACL.exe)
| >
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-
| > 93cf-ed6985e3927b&displaylang=en
| >
| > Hope the information helps. If there is anything that is unclear, please
| > feel free to let me know.
| >
| > Thanks & Regards,
| >
| > Jason Tan
| >
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| >
| >
| > --------------------
| > | From: "Wilson Cheung" <wcwcheung@xxxxxxxxx>
| > | Subject: Add or modify ACL on folder after using FSMT
| > | Date: Fri, 15 Jul 2005 08:38:28 +0800
| > | Lines: 18
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <uZDrHVNiFHA.576@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.migration
| > | NNTP-Posting-Host: pcd661018.netvigator.com 218.102.193.18
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.migration:11259
| > | X-Tomcat-NG: microsoft.public.windows.server.migration
| > |
| > | Hello,
| > |
| > | I knew FSMT does not mapped folders' and files' ACL permission to the
| > new
| > | domain in Win2k3 domain controller. For example, I have a NT domain
NT4
| > and
| > | I have an user called User_a. That user's folder ACL stays the same as
| > | User_a\NT4, but not User_a\Win2k3. Therefore User_a in Win2k3 domain
| > cannot
| > | access any folders after User_a login to the domain.
| > |
| > | I am looking for a tool or tools which can translate all folders' and
| > files'
| > | ACL permission from NT4 to Win2k3. Or tools (command-line) that I can
| > add
| > | them back manually in a script. Basically, there are around 500-800
| > users
| > in
| > | our corporate. Therefore, It's so hard to do it on graphic user
| > interface.
| > |
| > | On the other hand, I migrate all user account and by a script
| > "csvde.exe",
| > | therefore Security Translation Wizard in ADMT cannot make any help.
Can
| > some
| > | help me to solve this problem? Thanks in a million!!
| > |
| > |
| > |
| >
|
|
|
.
- References:
- Add or modify ACL on folder after using FSMT
- From: Wilson Cheung
- RE: Add or modify ACL on folder after using FSMT
- From: Jason Tan (MSFT)
- Re: Add or modify ACL on folder after using FSMT
- From: Wilson Cheung
- Add or modify ACL on folder after using FSMT
- Prev by Date: RE: adding 2003 server in a Windows 2000 AD
- Next by Date: RE: adding 2003 server in a Windows 2000 AD
- Previous by thread: Re: Add or modify ACL on folder after using FSMT
- Next by thread: RE: Global PreRequestHandler error after Win Server 2003 SP1 installation
- Index(es):
Relevant Pages
|
