Replacing domain SID on ACE's in DACL

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Apologies for the X-post but I was unsure were this should live.

I have about 10GB of data that now lives in a native Server 2003 domain.
All this data (due to the way the domain was migrated) is still ACL'd with
the groups from the legacy NT4 domain that it was migrated from. Access for
the users to the data is via sid history.

The NT4 domain (due to MS EOL for NT4) is to be docomssioned by the end of
the year. Before then I would like to re-ACL the data with the correct AD
groups which also contain the users accounts due to group sync scripts).

How is the best way to do this? All the command line and scripting
interfaces I have looked at do not determine if the group is AD or NT4.
Becuase of sid history they all resolve the group names with the AD groups
rather than the NT4 ones they actually are, so are not useful for me here.

Is there some software or script/api I can use the walk to DACL and
everytime it sees an 'explicit' ACE reference the old domain SID it will
either update the sid, or even better add the AD group and remove the NT4 one?

I assume I am not the only person who has run into this issue, so surely
there must be something out there? I have looked at the SIDwalker tool set
but it is not appropriate, requires to much manual intervention and will no
way scale to the size I need it two.

Any help appreciated, as december 31 is fast approaching :)

Much thanks,
RobT
 
Yes, I was sort of wondering when you said at the end
"would not scale" but only 10G.

As your script walks the storage, examining DACLs,
you can, for each group use WMI group obj to get the
SID. I assume it would not be too hard to scrape the
groups/sids from the NT4 (I do this and gen a sub that
loads a dictionary object that can just be pasted into
what runs on the trusting domain).

Your issue however will likely not be finding the
legacy group grants, but determining which originate
an inheritance. It depends on how the storage has been
touched/migrated. If the storage was originally in NT4,
even if the NT4 underwent upgrade to W2k, what I have
found is that the header bits to indicate inherited are not
reliable.
 
Rob have a look at Security Explorer by Scriptlogic...
http://www.scriptlogic.com/eng/products/securityexplorer/main.asp

This software will re-ACL the entire data tree swapping old SID for
new.

You'll almost certainly have to break the job down, as in my
experience it takes an hour 'per million files' to perform this sort
of operation. Never had a problem with it though, and the GUI is both
intuitive and powerful.

Regards, Neil
 
Yes, that was my first port of call.

I does not seem to work on data that is ACL'd with groups that have sid
history attached. It just skips over saying it has nothing to do. It does
not seem to recognise that the groups are from the old domain. I have proved
this by using a group that was not migrated with sid history (domain admins)
and it seems to work on for data ACL'd with this group.

Does this seem right?
 
RobT said:
I assume I am not the only person who has run into this issue, so surely
there must be something out there? I have looked at the SIDwalker tool
set
but it is not appropriate, requires to much manual intervention and will
no
way scale to the size I need it two.
Click to expand...

Hello RobT,

I think the SIDwalker-Tool will better scale than any script you write.
AFAIR the only thing which really needs to be done manually is the
mapping file of old account vs. New account, and you'll have to do that
anyways. You'd be able to reuse the same mapping file on every
fileserver, it just contains lines like "if SID1 exist please
delete/add/replace by SID2", so create a file with all existing SIDs
and mapping and apply that file to all filers in your environment. I'm
sure that's much faster than any approach you can script yourself.

You might be able to save a lot of time with the mapping file - you can
script the editing of that file if you have any scriptable relations
between the old and the new account. But even Excel might be able to
help you here.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
 
Back
Top