Delete ACLs for a whole domain

  • Thread starter Thread starter Rick Dang
  • Start date Start date
R

Rick Dang

Hi,
some servers moved from OLDDOMAIN to NEWDOMAIN, that have bidirectional
trust relationships. Their filesystems now have ACLs done by users and
groups from both domains.

How can I delete all the OLDDOMAIN ACLs references from the filesystems'
objects?

With CACLS I could remove OLDDOMAIN's groups and users one by one, but I
cannot remove the whole OLDDOMAIN.

Thanks in advance,
Rick
 
Rick Dang said:
Hi,
some servers moved from OLDDOMAIN to NEWDOMAIN, that have bidirectional
trust relationships. Their filesystems now have ACLs done by users and
groups from both domains.

How can I delete all the OLDDOMAIN ACLs references from the filesystems'
objects?

With CACLS I could remove OLDDOMAIN's groups and users one by one, but I
cannot remove the whole OLDDOMAIN.
Click to expand...


It's not clear exactly what you wish to do but perhaps SubInAcl.exe
will help you. It is a standard tool (ResKit or MS Download) for
massaging ACLs after a migration.

Other than that you would probably need to write a script and
find each such before deleting or changing it.

SetAcl.exe (free from sourceforge.net) might also help but it has
a command line that is very difficult to learn to use.
 
Hi Herb,
thanks for answering. Let me explain in a better way: this is a sample
output obtained by typing CACLS C:\temp:

BUILTIN\Administrators:F
OLDDOMAIN\User1:F
OLDDOMAIN\User2:C
OLDDOMAIN\Group1:R
NEWDOMAIN\User1:C
NEWDOMAIN\User5:R
NEWDOMAIN\Group3:F
NEWDOMAIN\Group4:C
Everyone:R

By deleting all ACL entries belonging to OLDDOMAIN, the new ACL should
be that one:

BUILTIN\Administrators:F
NEWDOMAIN\User1:C
NEWDOMAIN\User5:R
NEWDOMAIN\Group3:F
NEWDOMAIN\Group4:C
Everyone:R

If you consider a whole filesystem, with a big number of folders and
subfolders with specific ACLs, I need a command to remove all the
OLDDOMAIN entries.

I could make a list of all OLDDOMAIN users and groups, and write a
script like that:

CACLS c:\ /t /e /r OLDDOMAIN\User1
CACLS c:\ /t /e /r OLDDOMAIN\User2
CACLS c:\ /t /e /r OLDDOMAIN\User3
CACLS c:\ /t /e /r OLDDOMAIN\Group1
CACLS c:\ /t /e /r OLDDOMAIN\Group2
CACLS c:\ /t /e /r OLDDOMAIN\Group3

I wonder if there is a simple way to reach the point with a single
command involving the domain, and not just users and groups, that means
I'd need a script as long as the whole number of AD objects I have to
remove (about 400 between users and groups!!!).

Note that I do not have to migrate ACLs from OLDDOMAIN to NEWDOMAIN, as
setinacl.exe can do. It doesn't seem that setacl.exe can help me either...

Thanks again,
Rick

Herb Martin ha scritto:
 
Back
Top