When moving data to a new domain (in a domein migration or disaster recovery scenario, for instance), the Access Control Lists (ACL) of the files will contain user accounts from the old domain. Recreating user accounts with the same name in the new domain does not solve the problem, because ACL work by security identifier (SID), not by account name. It is therefor necessarry to reset the ACL's. To do this, we first let the Administrator of the new domain take owenrship of the files. This will allow the Administrator to modify the Access Control Lists. That, obviously, is the next step in this script. When setting the ACL, we will replace the ACL's so that the old accounts are removed.
After Administrator has taken Ownership, we will give our users READ access to the files. In a second stage, specific user groups will be given read and write access to specified folders. Those groups and folders are listed in a text file which resetACL.bat wil read from.
REM Current user (administrator) take ownership, recursive takeown /f F:\ /R REM use XCACLS.exe : more control over inheritance for newly created files REM resort to CACLS if XCALS is missing IF NOT EXIST dir_users.txt ECHO dir_users.txt missing && EXIT /B 1 REM GENERAL SETTINGS for DATA and DISTRIBUTION REM basic ACL : Admin, DomainAdmin Full Control REM Domain Users Read E:\ /C /T /Y /P SYSTEM:f;f Administrators:f;f Domeinadministrators:f;f lTeam:r;r F:\ /C /T /Y /P SYSTEM:f;f Administrators:f;f Domeinadministrators:f;f lTeam:r;r REM Add specific ACL by directory by team : Read/Write for specified group FOR /F "tokens=1,*" %%i in (dir_users.txt) DO ( if not exist %%j\NUL MD "%%j" xcacls %%j /c /y /t /e /g "%%i":rcd;ew ) :batchend EXIT /B 0
The input file (dir_users.txt) should look something like this :
lTeamleiders F:\documents\legal lTeamleiders F:\documents\office lTeam_ND F:\documents\office\management lTeam_PT F:\documents\production lTeam_CT F:\documents\communication lTeam_ST F:\documents\sales lTeam_FT F:\documents\finance Teamleiders_FT F:\documents\finace\financial_director lTeam F:\databasereports
The directory structure is based on considerations explained in File and Directory Management"