Hi ! I did an ADMT from a previous domain to a new one and after that i had some problems. i would be thankful for any help. My domain is 2008 R2 one by the way. The problem is with security ntfs permission on my file server which hosts more than 2 million files (about 2 TB of data) we have about 500 users with different permissions on different files. What i am gonna do are these : 1- Many of permissions are duplicated. for example you see john@olddomain.com twice in the ACE. I like to remove them 2- Permissions of previous domain are already there. i except the permission to be something like john@newdomain.com but both are seen in the ACE (john@newdomain.com and john@olddomain.com) 3- I like to remove any permissions assigned to users which are now disabled. (Those wont return to company so the related ACE is not needed). 4- There are many ACE entries for users which have been deleted so the ace looks like S1-2324-*** i like to delete those entry too as the users are deleted from AD. Do i need any script for these to be done or i can do them via windows server it self. by the way ! i have two file servers. one w2k3 sp2 and one win2k8r2 (and the domain is 2008 R2 as i told you) Thanks in advance

I Only Found The Answer to 4. It seems that subinacl can do that and also a utility named removeunknown which i could not find But the other questions are still without answer to me

Hello, I have very little experience on using ADMT so, won't be able to comment more on your questions. However, I would suggest you to post your questions in Directory Services sub forum providing this thread as a reference, wherein you would likely to get more help. http://social.technet.microsoft.com/Forums/en/winserverDS/threads Also, refer a similar discussion which might give you some information Security translation with ADMT 3 http://forums.techarena.in/windows-server-help/629852.htm ThanksThis posting is provided "AS IS" with no warranties or guarantees and confers no rights. Most of the downtime's are caused because of SysAdmin's curiosity ! - Santosh

Hello, First of all, how have you done the ADMT migration? To conserve permissions, you have to consider migration the SID History and disabling SID filtering between both domains. If you did not done that then consider re-migrating all users accounts with SID Migration. This is the Microsoft Official Guide for ADMT: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19188 Note that if a user is deleted or disabled then he will not be able to access the folder even if the permission is still here. Just note that if an SID spoofing occurs in the new AD domain then the user with the spoofed SID will be able to access the folder (This will not occur if SID filtering is enabled). For entries where you see only SIDs, they should be for deleted users. For cleanup operations, it will be better to do them by scripts unless you want to do that manually on 2 millions files. For scripting questions, ask them here: http://social.technet.microsoft.com/Forums/en-US/category/scripting This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi you mean to setup the trust again and move all users back and remigrate them (or maybe just remigrating them from old domain is enough) is this the only way ? is this hard for microsoft guys to provide a tool or script to do this ?! (deleting duplicates and also delete permissions from another domain ?) and as you said i asked this questions in Directory Service Too. Maybe i can find some help there

Hello, you mean to setup the trust again and move all users back and remigrate them (or maybe just remigrating them from old domain is enough) is this the only way ? If you have not migrated SID History and you want to keep old permissions then consider re-migration users with their SID. Details in the Microsoft Guide I already provided. Please read it. is this hard for microsoft guys to provide a tool or script to do this ?! (deleting duplicates and also delete permissions from another domain ?) For scripting questions, please ask them in the Scripting forum that I already suggested. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi you mean to setup the trust again and move all users back and remigrate them (or maybe just remigrating them from old domain is enough) is this the only way ? is this hard for microsoft guys to provide a tool or script to do this ?! (deleting duplicates and also delete permissions from another domain ?) and as you said i asked this questions in Directory Service Too. Maybe i can find some help there Hello, Please read this link: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/30fd1062-55df-456e-ae63-b99591fa7323 AND: This is not hard for MSFT people, but that is your job and Microsoft has not Support for Iran country (also I know you are from Iran and you can not contact MS Support). Regards

You should try Security explorer for your problem http://www.scriptlogic.com/products/security-explorer/ Best regards Dubravko Marak MCP Blog: Windows Server Administration Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I Have Used These Guys' Softwares (ScriptLogic) Like SecureCopy And I Should Say That They Are Great In My Searches I Had Found This One (Security Explorer) But Unfortunately We Are Under Sanctions And I Can not Buy Theirs. So I Should Focus On Free And Available Software And Scripts Like SetACL And More Thanks Anyway

Hi you mean to setup the trust again and move all users back and remigrate them (or maybe just remigrating them from old domain is enough) is this the only way ? is this hard for microsoft guys to provide a tool or script to do this ?! (deleting duplicates and also delete permissions from another domain ?) and as you said i asked this questions in Directory Service Too. Maybe i can find some help there Hello, Please read this link: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/30fd1062-55df-456e-ae63-b99591fa7323 AND: This is not hard for MSFT people, but that is your job and Microsoft has not Support for Iran country (also I know you are from Iran and you can not contact MS Support). Regards

I Have Used These Guys' Softwares (ScriptLogic) Like SecureCopy And I Should Say That They Are Great In My Searches I Had Found This One (Security Explorer) But Unfortunately We Are Under Sanctions And I Can not Buy Theirs. So I Should Focus On Free And Available Software And Scripts Like SetACL And More Thanks Anyway