As usual during a data centre migration at some point you need to move a huge chunk of data. I’ve come across several of these challenges in my years of migration and I usually end up with using the two most reliable yet simplest tools in my ‘migration toolkit’. Robocopy and SubInACL. Of course you have icacls within PowerShell and some of the more recent Windows Server versions, but the oldies are still goodies even in 2014.
The raw copy is the easy bit, just robocopy files from Old Device to New Device using the LAN, WAN or whatever you have at your disposal. If you wish or need to use an interim device for quicker transfer then do so, whether a NAS device or Eclypt drives – just make sure they are encrypted in case of loss during transfer.
Oh just a polite notice, for me Folder=Directory, Directory=Folder – same thing, different word.
So you’ve got the raw data across. Now those pesky NTFS permissions are still needed. 2 ways this can go down, the New Device is either:
- In the same domain as the Old Device
- Or in a different domain to the Old Device
If in the same domain, full steam ahead and rush along to the next paragraph. However if it is a different domain between the Old and New devices then you need a Trust in place. Minimum one-way from Old < New (Old Trusts New domain). If you cannot use the trust, then you better hope you have somehow migrated SIDHistory across to your domain user objects OR you are using the same group/user names in the New Domain as you were in the Old domain OR you are able to create a mapping file between the two(!). Did I not tell you it can get quite complex?
Record the Permissions
Full steam ahead here, go to the Old Device. Identify a Folder whose NTFS permissions you would just love to capture and need to re-apply. Type in the following command at a command prompt (ensure you have the subinacl.exe file handy):
subinacl /output=C:\DumpMyOutputFileHerePlease.txt /subdirectories H:\ThisIsTheOldDeviceFolder
The /output switch lets you specify where the NTFS dump file listing all the ACLs will be errrr….dumped(!) This can be anywhere, I’ve just put it in the root of C: in my simple example. I also gave mine an apt and descriptive filename. Just in case I have cause to come back to this file in a few weeks, calling it commandfile.txt just doesn’t help.
/subdirectories is an interesting beast, if you leave it as is, it will capture all NTFS permissions for both FOLDERS and FILES (largest output file size) but changing it to one of the magically delightful options below does something very different:
- /subdirectories=directoriesonly will only collect FOLDER/DIRECTORY permissions into the /output file (often smallest output file size)
- /subdirectories=filesonly will only collect FILE permissions into the /output file (often large output file size)
The last bit H:\ThisIsTheOldDeviceFolder has to be the directory/folder whose permissions you need to record.
Once you let the command loose, it creates a file called DumpMyOutputFileHerePlease.txt and this file could be huuuuuuge! Zip it for transport. If it’s too big to Zip then split it using a nifty tool like GSplit.
Replay the Permissions
Now you need to copy that file somewhere, anywhere where you can easily see the New Device copied raw data for example I used C:\Temp.
Run the following SubInACL command to replay the permissions:
subinacl /playfile C:\Temp\DumpMyOutputFileHerePlease.txt
Now, remember this tidbit of highly useful information. Running this command to replay the NTFS permissions makes one HUGE ASSUMPTION. It assumes that on the New Device you are using the SAME DRIVE LETTER and top level FOLDER as you had on the Old Device.
Heck what if you have done a bit of transformation on your New Device and re-organised the data and top level folder structure. Hopefully you’re just using a different drive letter and maybe just a different top level folder. If that is the case then you need to do 2 things before replaying the permissions.
Open the file DumpMyOutputFileHerePlease.txt
Change every line containing this “H:\ThisIsTheOldDeviceFolder” to whatever it needs to be to match your different drive letter or path e.g. “S:\WeNowUseThisNewFolder” use Find/Replace to seep that up. SAVE the file. You must SAVE it. Replace or Save as New, as long as you SAVE it please.
Once saved just run the exact same command (except now your .txt file has been modified):
subinacl /playfile C:\Temp\DumpMyOutputFileHerePlease.txt
Good Luck & Good Night.
Coming soon: speeding up ACL application, icacls and 3rd party permissions tooling/reporting.