ONTAP Discussions

Windows CIFS

Danfall
3,358 Views

Good Day,

 

Long story short  - Have old Windows 2008 AD with Users Profiles and Home Directories hosted on NetApp using CIFS  with windows security. Created  new windows 2016 AD environment and need to transfer users information to new CIFS environment ( also recently created). Issue  - SIDs of old home/profiles files not known on new CIFS. How to remedy?  Can NetApp Powershell tools be of any help here? How about MS ADMT ( Sid History tool). 

2 REPLIES 2

mbeattie
3,322 Views

Hi Dan,

 

What is the directory structure for your user profiles and home directories on your old server? I'd assume each user has a folder named using their logon name (sAMAccountName)? If so then you could translate the folder name (username) with the users SID in the NTFS permissions. Assuming the logon name in your new domain has not changed (only the SID) then you could create the destination folders for each user and set the NTFS permissions on their new account then robocopy the data without copying permissions from the source. How many users do you have to migrate? It would be possible to script.

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

mbeattie
3,305 Views

Hi Dan,

 

After re-reading your post, I'm assuming you are not migrating storage but have changed domains and need to reconfigure NTFS permissions on the user home directories within the CIFS Share? You can translate the old SIDs from the NTFS permissions on the folder (username). Once you know what the old user SID is compared to the new user SID (assuming logon names have not changed in your new domain) you could then use something like icacls to replace the SID in the NTFS permissions. See

 

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls 

 

icacls <Directory> [/substitute <SidOld> <SidNew>

I do not recommend using SID history. It will come back to haunt you or someone else in future. Set the NTFS permissions and you probably also want to reset the ownership of the data to the new AD user.

 

Here is an example script to list the SID mappings of the users based on the UNC Path using NTFS permissions and LDAP binds. Run the script as a user who has NTFS permissions to read the ACL's.

 

Usage: <%scriptname%> -UncPath <%unc_path%>

 

Param(
   [Parameter(Mandatory = $True, HelpMessage = "The Home directory UNC path")]
   [String]$UncPath
)
#'------------------------------------------------------------------------------
#'Enumerate the folders in the UNC path (user home directories matching their logon name)
#'------------------------------------------------------------------------------
Try{
   $folders = Get-ChildItem -Path $UncPath -ErrorAction Stop | Select-Object -ExpandProperty Name
}Catch{
   Write-Warning -Message $("Failed enumerating folders in ""$UncPath"". Error " + $_.Exception.Message)
   Break
}
#'------------------------------------------------------------------------------
#'Process the user home directory folders and enumerate the ACL's
#'------------------------------------------------------------------------------
[HashTable]$users         = @{}
[HashTable]$usersOrGroups = @{}
[HashTable]$ntfsSids      = @{}
[Int]$i = 0
ForEach($folder In $folders){
   [String]$folderSpec = "$UncPath\$folder"
   Write-Host "Processing folder ""$folderSpec"""
   Do{
      Try{
         $sddl = Get-Acl -Path $folderSpec -ErrorAction Stop | Select-Object -ExpandProperty sddl
      }Catch{
         Write-Warning -Message $("Failed enumerating NTFS permissions for ""$folderSpec"". Error " + $_.Exception.message)
         Break;
      }
      #'------------------------------------------------------------------------
      #'Split the SDDL in the ACL and enumerate the SID 
      #'------------------------------------------------------------------------
      [Array]$sids     = @();
      [Array]$elements = @();
      [Array]$elements = $sddl.Split(")(")
      ForEach($element In $elements){
         If($element -Match "S-1-5-21" -And $element.Contains(";")){
            [Array]$results = $element.Split(";")
            [String]$sid    = $results[$results.GetUpperBound(0)]
            [Array]$sids   += $sid
            Write-Host "Processing SID ""$sid"" in NTFS permissions on ""$folderSpec"""
         }
      }
      #'------------------------------------------------------------------------
      #'Attempt and LDAP bind to the SID
      #'------------------------------------------------------------------------
      ForEach($sid In $sids){
         Do{
            #'------------------------------------------------------------------
            #'Exit if the user or group has been processed (avoid LDAP bind multiple times for group objects)
            #'------------------------------------------------------------------
            If($usersOrGroups.ContainsKey($sid)){
               Break;
            }
            If((-Not([String]::IsNullOrEmpty($sid)))){
               Try{
                  [String]$adsPath = "LDAP://<SID=$sid>"
                  Write-Host "Invoking an LDAP bind to ""$adsPath"""
                  $user     = [ADSI]$adsPath
                  $userName = $user.sAMAccountName
                  If($folder -eq $userName){
                     [HashTable]$users.Add($sid, $userName)
                  }Else{
                     [HashTable]$usersOrGroups.Add($sid, $user.distinguishedName)
                  }
               }Catch{
                  Write-Warning -Message $("Failed binding to SID ""$sid"" in NTFS permissions on UNC Path ""$UncPath"". Error " + $_.Exception.Messgae)
                  [HashTable]$ntfsSids.Add($sid, $folderSpec)
               }
            }
         }Until($True)
      }
      $i = $i + 1
   }Until($True)
}
If($ntfsSids.Count -ne 0){
   Write-Host "Unresolved SID mapping"
   ForEach($key In $ntfsSids.Keys){
      Write-Host $($key + " = " + $ntfsSids[$key])
   }
}
If($users.Count -ne 0){
   Write-Host "User SID mapping"
   ForEach($key In $users.Keys){
      Write-Host $($key + " = " + $users[$key])
   }
}
Write-Host "Processed $i folders in UNC Path ""$UncPath"""
#'------------------------------------------------------------------------------

 

Hope that's useful to get some reports for the basis of resetting NTFS permissions.

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public