Access Denied: Enabling Users to Access Two Domain Accounts

We want to eliminate an old domain that was added to our network after an acquisition. To migrate the accounts in the old domain, we'll first create a new account in the main domain for each user in the old domain. Then, we'll gradually have users start logging on with their new account. Finally, we'll delete the old accounts. After we create the new accounts and before we delete the old ones, users need to be able to use both their new and old accounts to log on and access their files. How can we allow users to access both accounts without a major manual effort?

A powerful, free utility called SetACL, written by Helge Klein, can help you; it's available under the GNU General Public License (GPL) at http://www.helge.mynetcologne.de/setacl. SetACL lets you report, modify, back up, and restore permissions, auditing, and ownership for many types of objects, including folders, files, shares, registry keys, printers, and services. SetACL fully supports Windows NT and later permissions as well as inheritance and inheritance blocking. SetACL lets you perform any of its operations on just the specified object or on the specified object and all child objects.

First, I show you a SetACL command that will search the ACL for each file and folder on a hard disk for access control entries (ACEs) for users or groups from the old domain. For each such occurrence, SetACL will duplicate the ACE but substitute the new domain name for the old domain name. The command

SetACL.exe -on \server1share1  -ot file -actn domain  -rec cont_obj   -dom "n1:OldDomain;    n2:MainDomain;da:cpydom;    w:dacl"

processes each file and subfolder in \server1share1. (Although this command appears on several lines here, you must enter it on one line in the command-shell window, making sure there are no spaces after the semicolons.) When SetACL encounters an ACE for a user or group in OldDomain, it looks up the same username or group name in MainDomain and finds the SID for that user or group. Then, SetACL uses the SID to create a new ACE with the same permissions in MainDomain. After you execute this command, user Fred will have the same access whether he logs on as olddomainfred or maindomainfred. After you complete the migration, you can use the command

SetACL.exe -on \server1share1  -ot file -actn domain  -rec cont_obj -dom  "n1:OldDomain;da:remdom;w:dacl"

to delete all the old ACEs.