-------------------------------------------------- From: "Jeff Ras" <[email protected]> Sent: Friday, October 23, 2009 5:51 PM Subject: Migrate win2k3 security groups
> I'm sure this has been covered before, but I can't locate in the archives. > > New acquisition to our company has old domain xyz ... need to migrate xyz > security groups to the new (existing) domain without establishing a domain > trust. > > Purpose: When I move the data to the new domain, I don't want to manually set > several thousand levels of permissions. > > Interested in software solutions too.. money not a huge issue as this will be > needed many times. > > Thanks ! > > Jeff- > It seems to me that trusts have somehow gained a reputation over the years for being a "bad idea." In reality, however, they are pretty safe. Let's face it, everyone in domain xyz is eventually going to be granted access within the existing domain anyway - what's the big deal? There are no valid security implications to internal trusts in a merger situation that I can really think of, although I'd be eager for a discussion on this . However, setting sentiment aside and addressing your particular situation, you're going to need group membership lists (something like CSVDE or LDIFDE or a script) and the Microsoft tool SUBINACL. (Always get the latest one as earlier versions have [ahem..] "issues") Create and populate the relevant groups in your target domain (taking the opportunity to audit, reconcile and implement a standard naming convention) Create a mapping file (groupTarget=groupXYZ) Use SUBINACL with the /migratetodomain switch. There are (some) examples on the net for this, some of which work. The explanation at http://analogduck.com/main/subinacl seems pretty good except under the /migratetodomain example, they use /changedomain instead. CAUTION: this is a powerful and very dangerous tool. I advise you practise practise practise before a full sweep through an affected partition. Dave ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
