About…

Migrating permissions over domains

As I’ve stated in previous blogs – I work at a Managed Services Provider so this makes me lucky enough to work in environments ranging from very small and simple to large scale operations that require that every step is a planned one. Of course this means that we need a fairly easy policy to manage and migrate permissions over a large range of Microsoft products such as server 2003 to server 2012. So when planning a policy we need to account for all small discrepancies that could occur between clients, domains, etc.

I will not share our exact procedure and policy for maintaining permissions but I would like to share our way of moving permissions across servers,forests and entire domains, namely SubinACL;

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain

One of the great features of this tool is the plain text exporting functionality – Most tools such as Powershell’s get-acl and external tools rely on the system to resolve the SIDs and when making an export they export only the SIDs instead of the plain-text property name. The issue with this is when you migrate data to a different server that has no relation to the previous server(eg a new domain) you cannot restore the permission and are forced to recreate your permissions structure by hand.

So, as SubInACL does not rely on the system to resolve the SID it does this during the export to text functionality. To export permissions to a text file you simply install SubInACL and run the following command.

Subinacl /noverbose /output=D:\Permissions.txt /subdirectories “D:\FolderWeWantToBackup”

With this command we tell SubInACL to create a backup of all the permissions of D:\FolderWeWantToBackup including sub directories and files to D:\Permissions.txt. The NoVerbose switch is actually required to create a file that is capable to be used as a play file – Without the switch it would create a more readable format but unfortunately this file would fail at the import with the message “Invalid Function” or “Invalid Device”

to restore the file we have multiple options; first first step will always be to copy the entire file structure to the new server. For this you can use any tool that you prefer, I use SyncToy or Robocopy. After this you have to check what type of restore you have to perform. These are some examples you could use;

Replace single account name:

Subinacl /playfile D:\Permissions.txt /replace=[DomainName\]OldAccount=[DomainName\]New_Account

Replace old domain name:

Subinacl /playfile D:\Permissions.txt /replacestringonoutput=OldDomainName=NewDomainName

Replace SIDs with new SIDs(See SubInACL Documentation for more information):

Subinacl /playfile D:\Permissions.txt /changedomain=OldDomainName=NewDomainName[=MappingFile[=Both]]

So with these restore commands you should be able to create easy to use scripts to move across domains as long as you retain the old username names and groupnames, or use the replace string on output functionality. Happy migrating 🙂