Moving permissions and home folders for 100+ users to new AD

I need to move the home folders for 100+ users from one AD to another. The samAccountName for each user is the same in both AD’s but the ObjectGUID differs as the users were exported and imported with a CSV file rather than a trust.

The copying is no real problem - I believe I’ve got a working robocopy line, but I’m more worried about setting permissions on the folders after the move. I would like to iterate over each Home-folder and assign ownership and full control to the user whose samAccountName matches the folder name.

However, I’m not entirely comfortable with the Powershell Get-ACL and Set-ACL commands.
If I understand it correctly I need to grab the ACL from a folder into a variable first, then manipulate the permissions on the variable and then apply the correct permissions with Set-ACL.

The way I envision it:

  1. Get-ACL from a folder to $UserACL
  2. Get the name of a user folder
  3. See if I can match a folder name with a samAccountName
  4. If so add the user permissions to the $UserACL
  5. Set permissions on the folder by running Set-ACL on the user folder
  6. If no match, set permissions so only Administrators have access to the folder

Pseudo code:

$baseACL = Get-ACL -Path [ExampleDir]

$HomeFolders = Get-ChildItem [RootDir] | Where-Object {$_.PSIsContainer} | Foreach-Object {$_.Name}
$ADUsers=Import-csv 'UserCSV.csv' -Delimiter ';'

Foreach ($Folder in $HomeFolders) {
  ForEach ($User in $ADUsers) {
    if ($Folder -eq $($User.samAccountName)) {
      # Set properties
      $useridentity = "[AD]\$Folder"
      $admidentity = "BUILTIN\Administrators"
      $fileSystemRights = "FullControl"
      $type = "Allow"
      # Create new rule
      $fileSystemAccessRuleArgumentList = $useridentity, $admidentity, $fileSystemRights, $type
      $fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
      # Apply new rule
      $baseACL.SetAccessRule($fileSystemAccessRule)
      Set-Acl -Path "[Path]\$Folder" -AclObject $baseACL
    }
    Else {
      $admidentity = "BUILTIN\Administrators"
      $fileSystemRights = "FullControl"
      $type = "Allow"
      # Create new rule
      $fileSystemAccessRuleArgumentList = $admidentity, $fileSystemRights, $type
      $fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
      # Apply new rule
      $baseACL.SetAccessRule($fileSystemAccessRule)
      Set-Acl -Path "[Path]\$Folder" -AclObject $baseACL
    }
  }
}

This is only setting permissions not ownership, so I’m not sure if that’s even possible right off the bat with powershell. Or will I need to look at cacls and takeown?

I was under the impression that /COPYALL and /DCOPY:DAT would handle all that you ask? Is that not the case?

My understanding is that the permissions on a file or a folder is based on the ID, in the case of an AD-user I believe that is the ObjectGUID, not on the samAccountName. Which means that in this case where I’m moving content between two differing AD’s the samAccountNames are the same, but the ObjectGUIDs are not. If that’s so I would be applying non-valid user permissions to the folders when using COPYALL and/or DCOPY:DAT. Leaving me with a lot of permissions looking like this:

 

If I’m wrong and robocopy actually understands that it should use the samAccountName as basis for the permissions, please let me know. But I would rather not have to clean up permissions on 100+ folders with subfolders after the fact.

Understood. Thanks for the info.

 

Did you try this in your testing:

/SECFIX :: FIX file SECurity on all files, even skipped files.

Maybe worth a shot.