Merging ACLs

mikedisd2

Just wondering if anyone can recommend a tool that can export NTFS ACLs from one folder and apply them to another folder while preserving the ACLs already present there. I have migrated data across domains and exported/imported ACLs using SubinACLs.exe. This works great but overwrites any ACLs present on the target folder.

I need to export ACLs of \\domain1\folder to txtfile, edit text file, replace permissions of domain1\folder\*.* with domain2\folder\*.* and play this file to \\domain2\folder.

Any suggestions for a tool that can do this?

Claymoore

My first thought was using powershell with a get-acl and set-acl command. However, I think that will replace the acl on the destination folder instead of merging. Also, I am pretty sure that the dirty work of the set-acl is done using the SDDL entries rather than the easier-to-read domainm\user permission level that we see in Explorer. Editing permissions using SIDs and security descriptor language is never fun.

mikedisd2

Claymoore wrote: »

My first thought was using powershell with a get-acl and set-acl command. However, I think that will replace the acl on the destination folder instead of merging. Also, I am pretty sure that the dirty work of the set-acl is done using the SDDL entries rather than the easier-to-read domainm\user permission level that we see in Explorer. Editing permissions using SIDs and security descriptor language is never fun.

Definitely not fun. I've had a word with the PM and in lack of an effective tool, we're going to half-arse the new permissions then write over the top of them after the user migrations. Another quality job coming up...

Cheers for the response.

phoeneous

How about xcacls?

RomBUS

Hmmm...I am tagging this for knowledge. Could come across a helpful tool here