Some Issues With Security Permissions
-
Sunday, March 18, 2012 1:35 PM
Hi All
I asked a question in General Forum and some guys said to me ask it in here in order to get better help
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/f8e12b8c-2cce-4fa8-bd6b-bf5f63d6d63a
I did an ADMT from a previous domain to a new one and after that i had some problems. i would be thankful for any help.
My domain is 2008 R2 one by the way.
The problem is with security ntfs permission on my file server which hosts more than 2 million files (about 2 TB of data)
we have about 500 users with different permissions on different files.
What i am gonna do are these :
1- Many of permissions are duplicated. for example you see john@olddomain.com twice in the ACE. I like to remove them
2- Permissions of previous domain are already there. i except the permission to be something like john@newdomain.com but both are seen in the ACE (john@newdomain.com and john@olddomain.com)
3- I like to remove any permissions assigned to users which are now disabled. (Those wont return to company so the related ACE is not needed).
4- There are many ACE entries for users which have been deleted so the ace looks like S1-2324-***
i like to delete those entry too as the users are deleted from AD.
Do i need any script for these to be done or i can do them via windows server it self.
by the way ! i have two file servers. one w2k3 sp2 and one win2k8r2 (and the domain is 2008 R2 as i told you)
Thanks in advance
I Only Found The Answer to 4. It seems that subinacl can do that and also a utility named removeunknown which i could not find
But the other questions are still without answer to me
All Replies
-
Sunday, March 18, 2012 2:17 PM
Hi,
Check below links, may be helpful to remove duplicate/old domain user entries from ACE.
http://social.msdn.microsoft.com/Forums/en/isvvba/thread/651dd943-67e1-4d4b-a74e-253f2b49ddd7http://support.microsoft.com/kb/318754/
If above does not help, you may post this query in Scripting Forum: http://social.technet.microsoft.com/Forums/en/ITCG/threads
For the SIDs (S-1-5-21-34) of unknown accounts, check this thread: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e39575d9-794a-4e84-9ce3-808c1d07502f
Best Regards,
Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Proposed As Answer by Mr XMVP Sunday, March 18, 2012 8:57 PM
-
Monday, March 19, 2012 1:12 PM
Hello,
You can use SetACL tool (also is free tool). SetACL created by Helge Klein (MVP).
Download link:
SetACL: Windows ACL management
Examples:
Managing File System Permissions with SetACL.exe
Now back to your problem, use this command (example for Share folder):
SetACL.exe -on "C:\Share" -ot file -dom "n1:OLD-DOMAIN;da:remdom;w:sacl,dacl" -actn domain –rec cont_obj
Quick description:
-on is the name of the object
-ot is the data type (here: files and folders; setACL can also registry, printers, etc.)
-dom refers to activities with domain related permissions
da:remdom removed the permissions for the specified domain n1
-actn actually performs the specified action
-Recursion rec indicates so that all child objects are edited
For clear sIDHistories, Microsoft has VBScript, also KB295758.
How To Use Visual Basic Script to Clear SidHistory
You can use PowerShell and remove sIDHistories.
How To Remove SID History With PowerShell - Ashley McGlone (MSFT)
As a additional info, you can use AdFind with AdMod tool and clear sIDHistories in a domain. AdFind & AdMod created by Joe Richards (MVP).
Clearing all sIDHistories in a domain
Regards
-
Sunday, March 25, 2012 7:01 AM
ok
my problems are never gonna end
as a matter of fact his mess is because the previous network guy at the company had done an exact copy (using acronis) to service people in another building so the domain SID's were the same.
so we had to to an admt to a new domain to be able to establish a trust between people in these two buildings (they were one company last year but they are now two separate companies)
anyway
this is my problem now :
assume john was a man in the company last year. so there is a john@olddomain.com
now john works for us. we did keep sid history in admt (which i think was wrong) and now john is also at john@new-domain.com
and there is a trust between olddomain.com and newdomain.com
so in many folders we see both permissions (john@old and john@new) and it lasts about 3 seconds for ACLs to be displayed.
i think the problem is that john@olddomain still exists. so the SID goes through the trust to the old domain and gets resolved with the same name
look at this
as you see the user al.heidari has two ace entries (this pic is done using security explorer demo version)
the sid : 1-5-21-1661** is our domain but the 1509** is not ours.
so any help to correct this mess wil be appreciated
and most of all i like to delete al entries in all files related to the 1509*** sid
i did not find a switch in subinacl ? is there any ?
do those links (clean sidhistory) are helpful in this regard ?
as a matter of fact i did not get much of those
i mean i could not find how to use this syntax in my case :
cscript.exe ClearSidHistory.vbs -n=My Contact
cscript.exe ClearSidHistory.vbs -n=Computer1 -o=computer
cscript.exe ClearSidHistory.vbs -n=James Smith -o=Person -c=user -
Sunday, March 25, 2012 7:01 AM
ok
my problems are never gonna end
as a matter of fact his mess is because the previous network guy at the company had done an exact copy (using acronis) to service people in another building so the domain SID's were the same.
so we had to to an admt to a new domain to be able to establish a trust between people in these two buildings (they were one company last year but they are now two separate companies)
anyway
this is my problem now :
assume john was a man in the company last year. so there is a john@olddomain.com
now john works for us. we did keep sid history in admt (which i think was wrong) and now john is also at john@new-domain.com
and there is a trust between olddomain.com and newdomain.com
so in many folders we see both permissions (john@old and john@new) and it lasts about 3 seconds for ACLs to be displayed.
i think the problem is that john@olddomain still exists. so the SID goes through the trust to the old domain and gets resolved with the same name
look at this
as you see the user al.heidari has two ace entries (this pic is done using security explorer demo version)
the sid : 1-5-21-1661** is our domain but the 1509** is not ours.
so any help to correct this mess wil be appreciated
and most of all i like to delete al entries in all files related to the 1509*** sid
i did not find a switch in subinacl ? is there any ?
do those links (clean sidhistory) are helpful in this regard ?
as a matter of fact i did not get much of those
i mean i could not find how to use this syntax in my case :
cscript.exe ClearSidHistory.vbs -n=My Contact
cscript.exe ClearSidHistory.vbs -n=Computer1 -o=computer
cscript.exe ClearSidHistory.vbs -n=James Smith -o=Person -c=user -
Friday, March 30, 2012 12:46 PM
Let Me Simplify My Question :
I Have A File Server Whose Files Have The Previous SID of Users In NTFS Permission
(NTFS Entries Are Doubled. OLD And NEW Domain, (SID Of Users IN Both)
Assuming The File Server Name is MyFileServer, OLD Domain is old.com and NEW one is New.com :
How Should I Use This Script To Delete The SID History Of Old Domain (The Second Entry in NTFS Permission Related To Old SID)
http://support.microsoft.com/kb/295758/en-us
Thanks
-
Wednesday, April 04, 2012 12:34 AM
Hello,
Please read my post again.
You can use SetACL tool (also is free tool). SetACL created by Helge Klein (MVP).
Download link:
SetACL: Windows ACL management
Examples:
Managing File System Permissions with SetACL.exe
Now back to your problem, use this command (example for Share folder):
SetACL.exe -on "C:\Share" -ot file -dom "n1:OLD-DOMAIN;da:remdom;w:sacl,dacl" -actn domain –rec cont_obj
Quick description:
-on is the name of the object
-ot is the data type (here: files and folders; setACL can also registry, printers, etc.)
-dom refers to activities with domain related permissions
da:remdom removed the permissions for the specified domain n1
-actn actually performs the specified action
-rec Recursion indicates so that all child objects are edited
For clear sIDHistories, Microsoft has VBScript, also KB295758.
How To Use Visual Basic Script to Clear SidHistory
You can use PowerShell and remove sIDHistories.
How To Remove SID History With PowerShell - Ashley McGlone (MSFT)
As a additional info, you can use AdFind with AdMod tool and clear sIDHistories in a domain. AdFind & AdMod created by Joe Richards (MVP).
Clearing all sIDHistories in a domain
Regards
.png)
