Hi Dan,
After re-reading your post, I'm assuming you are not migrating storage but have changed domains and need to reconfigure NTFS permissions on the user home directories within the CIFS Share? You can translate the old SIDs from the NTFS permissions on the folder (username). Once you know what the old user SID is compared to the new user SID (assuming logon names have not changed in your new domain) you could then use something like icacls to replace the SID in the NTFS permissions. See
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
icacls <Directory> [/substitute <SidOld> <SidNew>
I do not recommend using SID history. It will come back to haunt you or someone else in future. Set the NTFS permissions and you probably also want to reset the ownership of the data to the new AD user.
Here is an example script to list the SID mappings of the users based on the UNC Path using NTFS permissions and LDAP binds. Run the script as a user who has NTFS permissions to read the ACL's.
Usage: <%scriptname%> -UncPath <%unc_path%>
Param(
[Parameter(Mandatory = $True, HelpMessage = "The Home directory UNC path")]
[String]$UncPath
)
#'------------------------------------------------------------------------------
#'Enumerate the folders in the UNC path (user home directories matching their logon name)
#'------------------------------------------------------------------------------
Try{
$folders = Get-ChildItem -Path $UncPath -ErrorAction Stop | Select-Object -ExpandProperty Name
}Catch{
Write-Warning -Message $("Failed enumerating folders in ""$UncPath"". Error " + $_.Exception.Message)
Break
}
#'------------------------------------------------------------------------------
#'Process the user home directory folders and enumerate the ACL's
#'------------------------------------------------------------------------------
[HashTable]$users = @{}
[HashTable]$usersOrGroups = @{}
[HashTable]$ntfsSids = @{}
[Int]$i = 0
ForEach($folder In $folders){
[String]$folderSpec = "$UncPath\$folder"
Write-Host "Processing folder ""$folderSpec"""
Do{
Try{
$sddl = Get-Acl -Path $folderSpec -ErrorAction Stop | Select-Object -ExpandProperty sddl
}Catch{
Write-Warning -Message $("Failed enumerating NTFS permissions for ""$folderSpec"". Error " + $_.Exception.message)
Break;
}
#'------------------------------------------------------------------------
#'Split the SDDL in the ACL and enumerate the SID
#'------------------------------------------------------------------------
[Array]$sids = @();
[Array]$elements = @();
[Array]$elements = $sddl.Split(")(")
ForEach($element In $elements){
If($element -Match "S-1-5-21" -And $element.Contains(";")){
[Array]$results = $element.Split(";")
[String]$sid = $results[$results.GetUpperBound(0)]
[Array]$sids += $sid
Write-Host "Processing SID ""$sid"" in NTFS permissions on ""$folderSpec"""
}
}
#'------------------------------------------------------------------------
#'Attempt and LDAP bind to the SID
#'------------------------------------------------------------------------
ForEach($sid In $sids){
Do{
#'------------------------------------------------------------------
#'Exit if the user or group has been processed (avoid LDAP bind multiple times for group objects)
#'------------------------------------------------------------------
If($usersOrGroups.ContainsKey($sid)){
Break;
}
If((-Not([String]::IsNullOrEmpty($sid)))){
Try{
[String]$adsPath = "LDAP://<SID=$sid>"
Write-Host "Invoking an LDAP bind to ""$adsPath"""
$user = [ADSI]$adsPath
$userName = $user.sAMAccountName
If($folder -eq $userName){
[HashTable]$users.Add($sid, $userName)
}Else{
[HashTable]$usersOrGroups.Add($sid, $user.distinguishedName)
}
}Catch{
Write-Warning -Message $("Failed binding to SID ""$sid"" in NTFS permissions on UNC Path ""$UncPath"". Error " + $_.Exception.Messgae)
[HashTable]$ntfsSids.Add($sid, $folderSpec)
}
}
}Until($True)
}
$i = $i + 1
}Until($True)
}
If($ntfsSids.Count -ne 0){
Write-Host "Unresolved SID mapping"
ForEach($key In $ntfsSids.Keys){
Write-Host $($key + " = " + $ntfsSids[$key])
}
}
If($users.Count -ne 0){
Write-Host "User SID mapping"
ForEach($key In $users.Keys){
Write-Host $($key + " = " + $users[$key])
}
}
Write-Host "Processed $i folders in UNC Path ""$UncPath"""
#'------------------------------------------------------------------------------
Hope that's useful to get some reports for the basis of resetting NTFS permissions.
/Matt
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.