Hi Lee,
I tested using icacls.exe to replace the SID's using the /substitute parameter and found it actually results in the following errors:
C:\>icacls.exe <%uncpath%> /substitute S-1-5-21-3567637-1906459281-1427260136-1555232 S-1-5-21-3150332139-2813398079-754052488-1113
what? Flags == 10000000
Successfully processed 0 files; Failed processing 0 files
So i tried combining it with the /restore parameter resulting in the following error:
C:\>icacls.exe <%uncpath%> /save "C:\temp\folder.acl"
processed file: <%uncpath%>
Successfully processed 1 files; Failed processing 0 files
C:\>icacls.exe <%uncpath%> /substitute "S-1-5-21-3150332139-2813398079-754052488-1113" "S-1-5-21-3567637-1906459281-1427260136-1555232" /restore C:\temp\folder.acl
S-1-5-21-3150332139-2813398079-754052488-1113: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files
So i turned to the old school method using cacls.exe (depreciated but still works)
/S Displays the SDDL string for the DACL.
/S:SDDL Replaces the ACLs with those specified in the SDDL string
You can use the /S:<SDDL> parameter to edit the SDDL (replacing the new sid with the old one)
EG:
List the SDDL
C:\>cacls.exe <%uncpath%> /S
<%uncpath%> "D:ARAI(A;OICI;0x1301bf;;;S-1-5-21-3567637-1906459281-1427260136-1555232)(A;OICI;FA;;;S-1-5-21-3150332139-2813398079-754
052488-1112)(A;OICI;FA;;;BA)(A;ID;FA;;;WD)(A;OICIIOID;GA;;;WD)"
Now Modify the SDDL (replacing the old SID "S-1-5-21-3567637-1906459281-1427260136-1555232" with the new sid "S-1-5-21-3150332139-2813398079-754052488-1113"
C:\>cacls.exe <%uncpath%> /S:"D:ARAI(A;OICI;0x1301bf;;;S-1-5-21-3150332139-2813398079-754052488-1113)(A;OICI;FA;;;S-1-5-21-3150332139-2813398079-754052488-1112)(A;OICI;FA;;;BA)(A;ID;FA;;;WD)(A;OICIIOID;GA;;;WD)"
Are you sure (Y/N)?Y
processed dir: <%uncpath%>
And if you wanted to automate this just pipe "echo Y" into the cacls.exe command. EG
C:\>echo Y|cacls.exe <%uncpath%> /S:"D:ARAI(A;OICI;0x1301bf;;;S-1-5-21-3150332139-2813398079-754052488-1113)(A;OICI;FA;;;S-1-5-21-3150332139-2813398079-754052488-1112)(A;OICI;FA;;;BA)(A;ID;FA;;;WD)(A;OICIIOID;GA;;;WD)"
Are you sure (Y/N)?processed dir: <%uncpath%>
This would make it really easy to update the ACL's for your home directories if you batch them together replacing source\target sids. So you could either create a batch file to do this or use PowerShell to edit the ACL's. Hope that helps
/matt
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.