The Usual Tech Ramblings

AD Migrations, and Permissions

One of the things I’ve been working on is migrating our equipment over to the corporate domain off of our domain. For the most part, this has been relatively easy, and given me some changes to fix some things I’ve wanted to get to, but not had time to. One of the stumbling blocks was cutting the file server over to the new server.

I’ll admit I really didn’t plan that server migration too well, but I’ve played it on the side of fixing things as they come up. One of the issues I’ve come across is trying to remember who had access to what originally. As the file server can no longer talk to the old domain controller, it’s not able to resolve the security accounts. This results in the permissions being filled with a bunch of security IDs, rather than names.

I’d originally come up with the idea of using Softerra’s LDAP Browser to search the old AD server for the security IDs. This is where I had an issue. The security IDs in the AD server are stored as binary objects, and LDAP Browser cannot search on it (at least not that I could find).

I did a little Googling around, and stumbled across a nifty utility called ADFind. It allows you to do LDAP queries against the domain controller, and has the added bonus of supporting binary encoding. For example:

adfind –binenc –f “(objectsid={{SID:S-1-...}})”

This encodes the SID, and returns the record for the user or group. This allowed us to go through the file server and fix permissions, and make sure those that should have access, did have access.