Migrating users NTFS permissions from one domain to another with different user accounts

Posted on Updated on

So you have 2 domains, an old one and a new one. You want to migrate to the new accounts from your old user accounts on the new domain. But you need to incorporate the file permissions on your file servers which don’t have the new accounts on. Furthermore, you are not following a decent Role based process to manage your access and instead you have 70325789342057834 folders and each one has an individual account with inheritance blocked at random places more times than a hummingbird flaps its wings in a life time.

Fear not, powershell is coming to the rescue.

There are a number of steps that are needed for migrating the file services. These are basically:

1. Export current file permissions using PowerShell
2. Organise the CSV file to remove legacy account information
3. Use the spreadsheet for old/new username mapping to update the CSV
4. Use another PowerShell script to update permissions.

Once these steps are complete then the permissions will be applied to the files and folders in question.

Ntfspermissions.ps1
$OutFile = “C:\qa.csv”
$Header = “Folder,User,Permissions”
Del $OutFile
Add-Content -Value $Header -Path $OutFile

$RootPath = “\\myfileserver\qa”

$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}

foreach ($Folder in $Folders){
$ACLs = get-acl $Folder.fullname | ForEach-Object { $_.Access }
Foreach ($ACL in $ACLs){
$OutInfo = $Folder.Fullname + “,” + $ACL.IdentityReference + “,” + $ACL.FileSystemRights
Add-Content -Value $OutInfo -Path $OutFile
}}

 

Now we have the CSV file we can order this so it includes the user accounts using the VLOOKUP function in excel. All you need is a list of accounts that maps the old user account to the new user account. Update the qa.csv and then you have a CSV to work from. Next we import:

$permissions = import-csv c:\qa.csv
ForEach ($line in $permissions)

{
$acl = get-acl $line.folder
Write-host $line.folder
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($line.user, “FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
$acl.AddAccessRule($rule)
set-acl $line.folder $acl
}

Run this script (oh and remember to ensure that set-executionpolicy unrestricted is set)

One thing to note that may mess up with your file permissions and change your inheritance:

$acl.SetAccessRuleProtection($True, $False)

The SetAccessRuleProtection value accepts 2 Boolean inputs:

isProtected
True – Protect rules from being changed by inheritance
False – Allow inheritance to change the rules

preserveInheritance
True – Preserve inheritance
False – Remove inherited rules

isProtected would be the first value which is $True and preserveInheritance will be the second value which is $False. This is essentially the same as blocking inheritance, and removing the permissions from the folder. This might not be the desired outcome, so you may want to change the values to $False, $True if you want to keep existing permissions with inheritance, or even $true, $true if you want to want to copy the inheritance permissions but block inheritance.

Hope this helps

This entry was posted in Technology and tagged , , , , , , , .

6 thoughts on “Migrating users NTFS permissions from one domain to another with different user accounts

    Frank said:
    August 12, 2015 at 3:37 pm

    The import part doesn’t work at all, only a bunch of error.
    Cannot process argument because the value of argument “name” is invalid….

    Reply
    Frank said:
    August 12, 2015 at 3:56 pm

    Also this script only grant user FULL CONTROL access and does not match what’s in the CSV file.

    Reply
      wortontech responded:
      February 26, 2016 at 4:08 pm

      Not so for me. My script managed to move all of the correct permissions over.

      Reply
    Marek said:
    February 15, 2016 at 4:34 pm

    Set acl script will not migrate existing permissions but change them on all folder to Full control:

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($line.user, “FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)

    Reply
    Elshandra said:
    February 26, 2016 at 12:04 am

    Unless i’m mistaken, you’re completely ignoring the AccessControlType property (Allow or Deny).. You might want to fix that ;o).
    I’m about to do something similar on one of our domains (but with groups vs users), but I need to also consider Propgation, Inheretance & AccessControlType.. We almost never use deny, but if we do, it’s for a very good reason, and we don’t want it becoming Allow ;o).

    Reply
      wortontech responded:
      February 26, 2016 at 4:01 pm

      Yes thats right however this can be included too but I didnt need to do this. I had to sort out ownership of the folders and groups too because some of the inheritance was blocked.

      Reply

Leave a comment