Getting ACL and setting ACL in new domain

This topic contains 9 replies, has 4 voices, and was last updated by Profile photo of Greg Dent Greg Dent 8 months, 3 weeks ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #33476
    Profile photo of Ron Bakker
    Ron Bakker
    Participant

    Hi all,

    I have a question regarding ACL-ing.
    First let me scetch my "problem"

    We are doing a data migration between 2 different domains.
    While there is a 2 way transitive trust between them, this makes it a little easier.

    Now my plan is to copy the data from the source domain, using Robocopy, to the target domain and leave the ACL from the source domain, while users will still be in the source domain when they access their data.

    Now what I am looking for is 2 scripts :
    1. Reed ACL from the source and write the info to a csv file :

    $OutFile = "C:\scripts\Sesogper.csv"
    $Header = "Folder Path,IdentityReference,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags"
    Del $OutFile
    Add-Content -Value $Header -Path $OutFile

    $RootPath = "H:"

    $Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}

    foreach ($Folder in $Folders){
    $ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access }
    Foreach ($ACL in $ACLs){
    $OutInfo = "`"" + $Folder.Fullname + "`"," + $ACL.IdentityReference + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
    Add-Content -Value $OutInfo -Path $OutFile
    }}

    2. Modify the .csv file by adding the new group and user names (they will be the same for users, but differ with groups) with the new domain name in front of it and use a PowerShell script to add the ACL to the Target location.
    All system level ACL can be left behind, just focussing on the group and user settings.

    Now for the second script I am having difficluties to find a proper script for that.

    Can anyone here help me with this ?
    Íf it's easier to use icacls.exe in a script, please advise in how to.

    Thanks in advance.

    Regards, Ron

    #33494
    Profile photo of Don Jones
    Don Jones
    Keymaster

    It sounds almost like you're trying to rewrite the ADMT. It's designed to copy files across domains and re-map the ACLs to the equivalent SIDs in the new domain. And it's a free tool ;).

    And it's definitely far, far, far, far, far, far easier to use Icacls.exe.

    #33530
    Profile photo of Ron Bakker
    Ron Bakker
    Participant

    Don,

    Do you have an example script available that uses icacls.exe ?
    What I actually need is a script that (after setting ACL's with Robocopy) also sets the new domain groups and users on the new location.

    For example :
    olddomain\user1 and newdomain\user1
    olddomain\accessgroup and newsdomain\GPaccessgroup

    In the new domain a new naming convention is chosen, and during the transition, both users from the old domain and users from the new domain will use the same resources.

    Thanks in advance

    #33545
    Profile photo of Don Jones
    Don Jones
    Keymaster

    We wrote one for the 2nd and 3rd editions of Windows PowerShell: TFM, but I don't have the script handy. I mean, it's really just running ICacls.exe (the syntax of which you can look up) and sticking variables in for the parameter values.

    Problem is, in terms of me being useful, is that I've always done these things using the ADMT or ScriptLogic's SecureCopy, which are designed for this exact task and run it a bazillion times faster. So I've just never had to write a script to do this – so no sample code I can share :(.

    But I particularly dislike the -ACL commands, and always have. They're just cumbersome.

    #33550
    Profile photo of Greg Dent
    Greg Dent
    Participant

    Not sure what help this will be, but had to do a similar exercise, moving data off to a different company, whilst retaining copies for us. ICACLS is indeed FAR better for anything to do with NTFS ACL's, but in this instance didnt provide enough flexibility.

    Not used the ADMT tools, or others Don refers to, but its worth checking out..

    Anyway:

    # -------------- Description
    # Author: Greg Dent
    # Update: 07/02/2014
    # This script recursively scans a folder and all subfolders and imports the ACL information into a CSV file
    # Paths are obtained from an imported CSV defined as $Shares
    # Set CSV export location using $OutFile variable
    # -------------- End Description
    # -------------- Begin Script
    # Input variables
    $CsvFile = "path-to-file-or-share.csv"
    $FolderPath = Split-Path -Parent $CsvFile
    $Shares = Import-Csv -Path $CsvFile
    foreach ($Share in $Shares) {
    	
    # Defines output file name, location and headers
    $OutFile = Join-Path -Path $FolderPath -ChildPath $($Share.CSVFile)
    $Header = "FolderPath,IdentityReference,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags"
    Add-Content -Value $Header -Path $OutFile
    
    # Carry out main script operations
    $Folders = dir $Share.UNCPath -recurse | where {$_.psiscontainer -eq $true}
    foreach ($Folder in $Folders){
    	$ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access  }
    	Foreach ($ACL in $ACLs){
    	$OutInfo = $Folder.Fullname + "," + $ACL.IdentityReference  + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
    	Add-Content -Value $OutInfo -Path $OutFile
    	}}}
    # -------------- End Script
    

    This needs a base list of shares to kick it off (shares.csv) which can either be full UNC paths, or SMB shares. As long as the shell can get to the file, all good.

    Edit: You could replace the Get-ACL section with an ICACLS command, which might make re-applying permissions a bit easier! Get-ACL seems to dump out perms in a weird way.

    #33551
    Profile photo of Greg Dent
    Greg Dent
    Participant

    You could then use this to write new perms back – it requires some Excel/CSV manual buggery though...

    It's where ICACLS comes into its own...

    $csv=import-csv "D:\test-csv.csv"
    foreach ($folder in $csv) {
    $file=$folder.Path
    $perm=$folder.FileSystemRights
    $group=$folder.IdentityReference
    Write-Host "Applying permissions to:" $file
    icacls $file /grant "$($group):$perm" /t
    }
    

    Description: Parse a CSV and set file system permissions using ICACLS
    Requires the CSV creating with paths, security groups and FS rights as per field variables below

    Path,FileSystemRights,IdentityReference

    You can also run this on folders rather than individual files.

    #33552
    Profile photo of Dan Potter
    Dan Potter
    Participant

    doesn't the sec switch of robocopy preserve the acl's?

    #33580
    Profile photo of Ron Bakker
    Ron Bakker
    Participant

    Hi all, thaks for all your help so far.

    Basically it comes to this :
    We have a file server in an "old" environment and all data needs to be copied to a new fileserver in another domain.
    For the time being, users still will be logged on to the old domain and need to have access to the new destination. There is a 2 way trasitive trust between the 2 domains.
    For the copying part we will make use of Robocopy and will also copy the "old" access structure.

    What I need at that time is a script that reads the ACL's from the old environment and exports that to a file.
    The file will be modiffied and access groups and users from the new domain will be added in a seperate column.
    After the modification, this file will be used for setting the extra access on the new environment, so hat users who receive a new PPT for the new domain, will be able to access the same files using their new accounts and also be able to use an old PPT to do the same.

    Or, to make it much more simple, edit the output file and replace the old domain name and groupnames with the new ones and then use this file to set the new access

    #33593
    Profile photo of Ron Bakker
    Ron Bakker
    Participant

    As an addition to this, I used the following command to export the acl to a text file :

    Get-AccessControlEntry h:\* | Export-Csv c:\testexp.txt

    The output looks like this when imported into Excel :

    OnlyApplyToThisContainer Principal AppliesTo DisplayName Path InheritedFrom AceType AccessMaskDisplay InheritanceString BinaryLength AceQualifier IsCallback OpaqueLength AccessMask SecurityIdentifier AceFlags IsInherited InheritanceFlags PropagationFlags AuditFlags
    FALSE OLD DOMAIN\aabraham Object, ChildContainers, ChildObjects H:\AABRAHAM H:\AABRAHAM AccessAllowed Modify, Synchronize DACL Inheritance: Enabled 36 AccessAllowed FALSE 0 1245631 S-1-5-21-3951573582-877270986-3148829186-11265 ObjectInherit, ContainerInherit FALSE ContainerInherit, ObjectInherit None None
    FALSE Account Unknown (S-1-5-21-3951573582-877270986-3148829186-15619) Object H:\AABRAHAM H:\AABRAHAM H:\ AccessAllowed FullControl DACL Inheritance: Enabled 36 AccessAllowed FALSE 0 2032127 S-1-5-21-3951573582-877270986-3148829186-15619 Inherited TRUE None None None
    FALSE CREATOR OWNER ChildContainers, ChildObjects H:\AABRAHAM H:\AABRAHAM H:\ AccessAllowed FullControl DACL Inheritance: Enabled 20 AccessAllowed FALSE 0 2032127 S-1-3-0 ObjectInherit, ContainerInherit, InheritOnly, Inherited TRUE ContainerInherit, ObjectInherit InheritOnly None
    FALSE NT AUTHORITY\SYSTEM Object, ChildContainers, ChildObjects H:\AABRAHAM H:\AABRAHAM H:\ AccessAllowed FullControl DACL Inheritance: Enabled 20 AccessAllowed FALSE 0 2032127 S-1-5-18 ObjectInherit, ContainerInherit, Inherited TRUE ContainerInherit, ObjectInherit None None
    FALSE OLD DOMAIN\OLD GROUP Object, ChildContainers, ChildObjects H:\AABRAHAM H:\AABRAHAM H:\ AccessAllowed FullControl DACL Inheritance: Enabled 36 AccessAllowed FALSE 0 2032127 S-1-5-21-3951573582-877270986-3148829186-20671 ObjectInherit, ContainerInherit, Inherited TRUE ContainerInherit, ObjectInherit None None
    FALSE BUILTIN\Administrators Object, ChildContainers, ChildObjects H:\AABRAHAM H:\AABRAHAM H:\ AccessAllowed FullControl DACL Inheritance: Enabled 24 AccessAllowed FALSE 0 2032127 S-1-5-32-544 ObjectInherit, ContainerInherit, Inherited TRUE ContainerInherit, ObjectInherit None None
    FALSE OLD DOMAIN\Domain Admins Object, ChildContainers, ChildObjects H:\AABRAHAM H:\AABRAHAM H:\ AccessAllowed FullControl DACL Inheritance: Enabled 36 AccessAllowed FALSE 0 2032127 S-1-5-21-3951573582-877270986-3148829186-512 ObjectInherit, ContainerInherit, Inherited TRUE ContainerInherit, ObjectInherit None None

    Now what I would like to do is replace the OLD DOMAIN and OLD GROUP values with the ones from the new domain (usernames stay the same) without taking the SecurityIdentifier value in it, bacause that one will differ.
    So what I need still is a script that can, after the above mentioned modifications, take this file as an input file and add the new values to the new location

    #33623
    Profile photo of Greg Dent
    Greg Dent
    Participant

    In that case, the first script I posted does exactly that. Your scenario is not too different to ours 🙂

    It works primarily to pull off group names, disregarding the ID's. All I did to write the new groups back to the folder structure was do some formulas in Excel to duplicate and update the old group names with the corresponding new group names in the other domain, then use the second script to write them back.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.