REAL POWERSHELL SOLUTIONS FILE SERVER MIGRATIONS

Anyone that does Active Directory Migrations has to deal with file servers and whether to use SID History or not. Either way, you are going to have to dig deep in User and Group Shares. The NTFSSecurity Module is a great PowerShell Module that takes a lot of guesswork out of things. A simple internet search will find it to download, and it can be unzipped into your PowerShell Module folder (Default: C:\Windows\System32\WindowsPowerShell\v1.0\Modules).

This module is extremely versatile/fast for populating permissions. It works great if you have a migration scenario where SID History is not used. It makes "group mirroring"** much easier than it used to be. I will focus on a couple of scenarios where this really comes in handy.

**Group Mirroring – Process of exporting groups from the source domain into an LDIF or CSV file to import into the target domain. This allows a migration to proceed without SID History. Divestitures and small/medium (Less than 15K users) are good candidates for not using SID History. To simplify the re-application of groups to resources in the source domain, try to use the same group name with a suffix. Excel formulas make this process simple (See below). Group name cleanup post migration, is much easier/cleaner then SID History cleanup. File servers can exist in the source domain until later in the migration.

NTFSSECURITY MODULE

All AD Migration Specialists have had an issue where migrated users can no longer access directories still located in the old domain. I personally ran into a situation where a local server admin had used "Domain Users" in over 300 folder/file locations on a Group Share directory, some 3-5 levels deep. "Domain Users" is specific to a domain, so the users lost access. The NTFSSecurity module allowed very quick turn-around, for discovery and remediation.

Do not forget to download, unzip, and copy into the PowerShell Modules folder.

PREREQUISITES

Reading/Adding security to a directory structure requires PowerShell to run with an account that has rights to read/add permissions to the entire directory structure. BUILTIN\Administrators must have rights to folders/files, which need to inherit permissions. This needs to be addressed before going forward. The NTFSSecurity Module contains “Set-NTFSOwner” and “Enable-NTFSInheritance” if BUILTIN\Administrators do not have access to the entire directory structure.

Import-Module NTFSSecurity

Set-NTFSOwner -Path D:\Groupshares -Account BUILTIN\Administrators

Enable-NTFSInheritance -Path D:\Groupshares

GET-NTFSACCESS

Let us look at what I was able to do with this amazing module. The process outlined below, will describe how to export the current domain permissions applied to a file server, then add a corresponding group from a trusted forest/domain. This will allow access to the folders/files, whether a user has been migrated or not, without relying on SID History. The file server can also be migrated to the new domain at any time, without worrying about an outage or loss of productivity.

Note: The NTFSSecurity module does not process files and folders reclusively. You have to use Get-ChildItem or Get-ChildItem2 with the Recurse switch. (The Get-ChildItem2 cmdlet is part of the NTFSSecurity module to get files/folders with paths longer than 260 characters)

The attributes available for export (Select):

·  Account - Local/Domain account permissions applied to
·  Name - Folder/File name permissions are applied to
·  FullName - Full directory path to Folder/File permissions are applied to
·  InheritanceEnabled - N/A as only concerned where explicit permissions applied
·  AccessControlType - Allow/Deny ("Deny" is not used often)
·  AccessRights - Permission applied (Full Control, ReadAndExecute, Modify, Synchronize)
·  AppliesTo: NTFSSecurity converts InheritanceFlags and PropagationFlags into Windows Explorer format:
      o   ThisFolderOnly
      o   ThisFolderSubfoldersAndFiles
      o   ThisFolderAndSubfolders
      o   ThisFolderAndFiles
      o   SubfoldersAndFilesOnly
      o   SubfoldersOnly
      o   FilesOnly
·  IsInherited – N/A Only want “Explicit” permission applied locations (True False)
·  InheritanceFlags - N/A use “AppliesTo”
·  PropagationFlags - N/A use “AppliesTo”

To export all “Explicit” permissions set in the entire “Group Share” directory.

NOTE: Using Get-Childitem and Get-NTFSAccess combined will take a lot of time depending on the size of the directory read.

Import-Module NTFSSecurity

Get-ChildItem -Path D:\Groupshares -Recurse | Get-NTFSAccess –ExcludeInherited | Select-Object Account,Name,FullName,AccessControlType,AccessRights,AppliesTo | Export-Csv -Path E:\Exports\GroupsharePermissions.csv -NoTypeInformation

The "-ExcludeInherited" switch only exports where permissions are explicitly applied. Everything needed to re-apply target domain permissions to the directory structure will be in this .CSV file. The "Add-NTFSSecurity" command after Edit/Replace to re-apply the corresponding group from the target domain.

To export all “Explicit” permissions set in the entire “Group Share” directory for a specific account.

Import-Module NTFSSecurity

Get-ChildItem -Path D:\Groupshares -Recurse | Get-NTFSAccess -Account 'Sourcedomain\Groupname' –ExcludeInherited | Select-Object Account,Name,FullName,AccessControlType,AccessRights,AppliesTo | Export-Csv -Path E:\Exports\GroupsharePermissions.csv -NoTypeInformation

 ADD-NTFSACCESS

The CSV file will take a little bit of manipulation to re-apply the permissions with groups from the target domain.

1.      Sort the CSV file on the “Account” column
2.      Delete all rows, which contain “BUILT-IN, NT SERVICE, CREATOR OWNER, Etc.”
3.      Insert 2 columns next to “ACCOUNT” -> add the suffix for the group in first column and formula into other “=A2&B2”
4.      Copy formula column into Notepad/(++)/WordPad (Depends on # of rows).
5.      Replace “ACCOUNT” column with combined information. This will remove formula.
6.      Delete inserted columns
 

NOTE: If folders/files have user account permissions directly applied without groups, copy these rows into another CSV file. I use a VLOOKUP Excel formula with Edit/Replace to address these, or move the accounts to the appropriate groups. This is a separate User Share article later.

Manipulating CSV files in Excel removes formatting that PowerShell has trouble reading. Below is a trick/formula I use to re-create formatting that is readable from PowerShell.

This formula (=F2&A2&G2&B2&G2&C2&G2&D2&F2) is dragged down, which creates the CSV. I copy the column into Notepad/(++)/WordPad and save as CSV (Apply_Permissions.csv).

$Apply = Import-CSV D:\Export\Apply_Permissions.csv

$Apply | ForEach-Object {Add-NTFSAccess -Path $_.Fullname -Account $_.Account -AccessRights $_.AccessRights -PassThru } | Format-Table -Property FullName,Account,AccessRights,AppliesTo -AutoSize | Out-File -FilePath "D:\Export\NewGroups.txt" -ErrorAction 'Continue'

 The Default is “ThisFolderSubfoldersAndFiles”. If there are multiple settings from your export, –AppliesTo $._AppliesTo can be added to the script.

Like anything else with PowerShell, these scripts come “As is”. Test, test, and then test again to get comfortable with your unique environment. This should get you on your way, and give you ideas on how to re-permission a file server much faster than before, with less headache. Good Migrations to you.

COPYRIGHT

Content Disclaimer: This article and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared in this article reflect those of the author and do not represent the views of any companies that may be mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2017.