A few weeks ago a customer came to me, and said: “Our Active Directory was fucked up while performing an upgrade from windows 2000 to windows 2003.” Because their Exchange was already set-up in a new environment, they wanted to merge the two ADs together; and thus all rights on their Corporate files ( 300 GB ) should change from the old user account in the old domain to the new user account.
At first I thought I could use SIDhistory, a feature in AD that is designed to be used while migrating from one domain to the other. SIDhistory is a property of a user in the Active Directory which specifies after a migration the old “Security Identifier”(SID). A SID is a unique string in the Active Directory that every security object has, for example a group or a user. But for using SIDhistory I read that I had to create a trust between the two domains. When trying to create such a trust, the server complaint about a wrong AD version and it said I had to run ADprep which ofcourse I did not want to do because that fucked up everything in the first place. Besides that I had read that using SIDhistory is exploitable ( atleast for NT4 and win2000 ).
So, if I can not change the Active Directory perhaps I can change all files? Offcourse not by hand, but after searching the internet I found out that this was possible. It would only take a lot of time to go through all files and directories.
I found out that by using the subinacl.exe utility it is possible to read all files’ ACL on disk and change the SID of the file to reflect the new user. Only problem up to then was: “How do I copy all files without loosing all security information?”. Normally when copying something from the network, the user who initiated the copy gets all rights. In this case, this would be the administrator and subinacl.exe would nolonger know who had rights on the file on the old file server.
The solutions was another Microsoft tool called RoboCopy. It can copy files from over a network and keep all kinds of properties like NTFS rights, Archive Bit even the date it was last modified. So, I now had all the pieces I just had to put them together.
With a batch script I wrote, all SIDs from all files and directories changed from the old user to the new user. Last thing that had to be done was migrating all workstations into the new domain. This was achieved with a Visual Basic script that extracts the current hostname and the current domain, and calls netdom to put it in the new domain.
Nice website!!