5

Running a really simple ICACLS command after I copied a directory over to a new server with permissions intact. I need to change a SID from an old server user group to a new server user group.

Copied folder with ROBOCOPY source dest /SEC...

Got the SID of the old server user group and new server user group using PSGetSid.

icacls folder /save acl /t
icacls folder /substitute S-blahold S-blahnew /restore acl

I get an error that says: s-blahold: No mapping between account names and security IDs was done.

I've tried replacing the SID with the servername\group. I'm running as Administrator account that has admin access to old and new servers.

Source server is Windows 2003, destination is Server 2008.

Brad
  • 165
  • 1
  • 3
  • 10

2 Answers2

2

If they are in the same domain you might be able to use the friendly format, e.g. DOMAIN\USERNAME. I have found this does work when in the same domain.

The other thing is: you are prefixing the SID's with an asterisk, right?

Lastly, you could try subinacl - this allows doing an SID replace without actually looking up the object for existence in AD.

Joe Niland
  • 447
  • 1
  • 5
  • 16
  • Joe, I don't believe I was prefixing the SIDs with an asterisk. I did end up using subinacl to change the permissions. I have another server migration coming up and I will try icacls with asterisks. – Brad May 08 '13 at 13:40
  • @Brad - good to hear. subinacl is a more robust tool in general. – Joe Niland May 14 '13 at 06:33
-1

You could use subinacl to perform this task

MichelZ
  • 11,008
  • 4
  • 30
  • 58