A. Microsoft's SubInACL utility, which you can download at http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en , is a command-line tool that you can use to manage security on files, registry keys, and services; set ownership information; and replace security rights (e.g., change all permissions that domain1\user1 has to domain2\user2). The following example shows how to change the permissions on a file for user Bruce from his account in domain r2demo.test to his account in savilltech.com
D:\migrated\demor2env01\tomigrate>subinacl /file SupermanvsBatman.jpg /[email protected][email protected] D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg : replace Perm. ACE 2 r2demo\[email protected] with savilltech\[email protected] D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg : 1 change(s)The above command produced the following output:
Elapsed Time: 00 00:00:00 Done: 1, Modified 1, Failed 0, Syntax errors 0 Last Done : D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg
You can also use the SubInACL utility to replace all SIDs from one domain to another, as the following example and output shows. (In the command below, change /noverbose to /verbose=1 for an easier-to-read list of permissions.)
D:\migrated\demor2env01\tomigrate>subinacl /noverbose /file SupermanvsBatman.jpg /display ========================================================+File D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg
======================================================== /control=0x0 /owner =builtin\administrators /primary group =r2demo\domain users /audit ace count =0 /perm. ace count =9 /pace =r2demo\administrator Type=0x0 Flags=0x0 AccessMask=0x1200a9 /pace =builtin\administrators Type=0x0 Flags=0x0 AccessMask=0x1f01ff /pace =savilltech\bruce Type=0x0 Flags=0x0 AccessMask=0x1201bf /pace =r2demo\clark Type=0x0 Flags=0x0 AccessMask=0x1f01ff /pace =r2demo\diana Type=0x0 Flags=0x0 AccessMask=0x120089 /pace =savilltech\hal2 Type=0x0 Flags=0x0 AccessMask=0x1301bf /pace =builtin\administrators Type=0x0 Flags=0x10 AccessMask=0x1f01ff /pace =system Type=0x0 Flags=0x10 AccessMask=0x1f01ff /pace =builtin\users Type=0x0 Flags=0x10 AccessMask=0x1200a9 Elapsed Time: 00 00:00:00 Done: 1, Modified 0, Failed 0, Syntax errors 0 Last Done : D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg
To change the ACLs, use the following command, which replaces all ACLs on a file from domain r2demo to savilltech. Note that this command just checks for an equivalent names account in the new domain. This execution doesn't check SIDHistory values or mapping tables, which utilities such as Active Directory Migration Toolkit (ADMT) make use of.
D:\migrated\demor2env01\tomigrate>subinacl /file SupermanvsBatman.jpg /changedomain=r2demo=savilltech D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg : replace Perm. ACE 0 r2demo\administrator with savilltech\administrator D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg : replace Perm. ACE 3 r2demo\clark with savilltech\clark D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg : replace Perm. ACE 4 r2demo\diana with savilltech\diana D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg : savilltech\domain users is the new Primary Group D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg replace Primary Group r2demo\domain users with savilltech\domain users D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg : 4 change(s) Elapsed Time: 00 00:00:00 Done: 1, Modified 1, Failed 0, Syntax errors 0 Last Done : D:\migrated\demor2env01\tomigrate\SupermanvsBatman.jpg
If the execution doesn't find an equivalent account in the target domain, it displays a 1337 error and leaves the ACL entry unchanged.
