Delete all OLDDOMAIN ACLs from file system

[Rick Dang]

Hi,
some servers moved from OLDDOMAIN to NEWDOMAIN, that have bidirectional
trust relationships. Their filesystems now have ACLs done by users and
groups from both domains.

How can I delete all the OLDDOMAIN ACLs references from the filesystems'
objects?

With CACLS I could remove OLDDOMAIN's groups and users one by one, but I
cannot remove the whole OLDDOMAIN.

Thanks in advance,
Rick

 

[Roger Abell [MVP]]

Your best bet is likely to write a script that recurses over all
storage structures looking for ACEs that grant/deny principals
of the old domain based on the old domain's rid portion in the
sid used in the grant/deny.
Using other tools has the problem that you cannot specify the
target account with a sid pattern, but must first discover each
different old domain principal that is being used.

 

[Rick Dang]

Hi,
I solved using the command SETACL (http://setacl.sourceforge.net/).

Rick

Rick Dang ha scritto: